No incentive to bid in auction until last moment

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/AuctionDemo.sol#L57-L61
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L518-L520

Vulnerability details

Impact

Each auction defines a fixed end time, which provides no incentive to bid, except at the last moment, which can be exploited by MEV, in deterrence of all other users of the protocol.

Citing from a similar issue on a previous contest as it leads to the same impact: "The current auction system doesn't allow for a proper price discovery". The current design can quickly lead to a suboptimal final price as someone may have increased its bid given more time.

Evaluated as Medium as a function of the protocol impacted due to improper price discovery of its assets.

Proof of Concept

Whenever a new bid is placed via participateToAuction(), the auction end time is not increased.

    function participateToAuction(uint256 _tokenid) public payable {
        require(
            msg.value > returnHighestBid(_tokenid) &&
            block.timestamp <= minter.getAuctionEndTime(_tokenid) &&
            minter.getAuctionStatus(_tokenid) == true
        );
        auctionInfoStru memory newBid = auctionInfoStru(msg.sender, msg.value, true);
        auctionInfoData[_tokenid].push(newBid);
    }

AuctionDemo.sol#L57-L61

getAuctionEndTime() returns a fixed value, that does not depend on the last bid:

    function getAuctionEndTime(uint256 _tokenId) external view returns (uint) {
        return mintToAuctionData[_tokenId];
    }

MinterContract.sol#L518-L520

Tools Used

Manual Review

Recommended Mitigation Steps

Extend the auction end time after each bid if the time is close to the end.

Assessed type

MEV

[141345]

auction extention mechanism suggestion.

This one is more suitable for analysis

[c4-pre-sort]

141345 marked the issue as sufficient quality report

[c4-sponsor]

a2rocket (sponsor) disputed

[a2rocket]

the intended design was not to have extension.

[alex-ppg]

The Warden specifies that the auction's implementation incentivizes users to bid at the last second to not reveal their bids.

This recommendation does align with best practices, such as those employed by OpenSea which will extend an auction by 10 minutes if a bid is made near the end.

I understand that this type of submission has been judged as a medium in the past, however, I do not agree with the precedence.

At best, user experience will be impacted whereby users assumed they had won an auction but have been outbid. This results in the NFT being sold at a higher price point than it would already have which is a benefit for the protocol as a whole.

The recommended course of action would essentially increase this potential benefit rather than prevent it by allowing more outbids to occur until a "better" price is established.

I agree that this is an enhancement and adopting best practices (such as those I cited from OpenSea) is advisable, however, it does not constitute a medium-severity vulnerability. This is better suited under an Analysis submission or as a QA submission.

[c4-judge]

alex-ppg changed the severity to QA (Quality Assurance)

[c4-judge]

alex-ppg marked the issue as grade-c