Last-Moment Bid Cancellation Possibility

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/AuctionDemo.sol#L124-L130

Vulnerability details

Impact

The current implementation of the cancelBid function in auctionDemo.sol permits bidders to withdraw their bids up until the exact end of the auction as determined by minter.getAuctionEndTime(_tokenid). This creates an opportunity for a bidder to place an artificially high 'blocking bid' to deter other participants and then withdraw that bid in the last possible block before the auction ends, potentially placing a lower bid immediately after and winning the auction due to the lack of time for other participants to respond.

This behavior compromises the fairness of the auction by allowing a participant to manipulate the bidding process without intending to win with the high bid.

The existence of a high but insincere bid may deter legitimate interest in the auction, potentially reducing the final sale price for the auctioneer.

Recommended Mitigation Steps

Implement a period (e.g., 5 average block time) during which bids cannot be canceled. This lock-in period will prevent last-minute bid cancellations and give participants a clearer view of genuine interest in the auction item.

Assessed type

Other

[c4-pre-sort]

141345 marked the issue as duplicate of #962

[c4-judge]

alex-ppg marked the issue as not a duplicate

[c4-judge]

alex-ppg marked the issue as duplicate of #1784

[c4-judge]

alex-ppg marked the issue as duplicate of #1323

[c4-judge]

alex-ppg marked the issue as unsatisfactory:
Insufficient quality

[c4-judge]

alex-ppg marked the issue as satisfactory

[c4-judge]

alex-ppg marked the issue as unsatisfactory:
Insufficient quality