Platform: Code4rena
Start Date: 24/02/2022
Pot Size: $75,000 USDC
Total HM: 21
Participants: 28
Period: 7 days
Judge: alcueca
Total Solo HM: 15
Id: 94
League: ETH
Rank: 25/28
Findings: 1
Award: $207.42
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: leastwood
Also found by: 0x1f8b, 0xliumin, 0xwags, CertoraInc, Dravee, IllIllI, Ruhum, TerrierLover, WatchPug, cmichel, csanuragjain, defsec, gzeon, hubble, jayjonah8, kenta, kirk-baird, rfa, robee
207.419 USDC - $207.42
A buyer can set a low price and call placeBid() to drive up the price.Thereby, creating interest for their NFT.
Can check whether, the msg.sender is the seller to prevent them from calling this function. But the issue still remains if they use another address to manipulate bids.
#0 - HardlyDifficult
2022-03-03T13:08:19Z
Yes - this is a valid point and something we might want to revisit. It's awkward that a seller could drive up a price on their own auction. But as you point out, if we attempted to stop it they could still do so by simply using a different address to place the bid. So for now, we've opted to not increase gas for other users by reverting in this scenario.
One mitigation is that the history of the auction is very visible, both on our site and on-chain. So if a seller were to do this using the same account - others can clearly see the attempted manipulation.
#1 - alcueca
2022-03-17T09:21:09Z
Unadjusted score: 20 - Unusual operation allowed to users.