Droll Scarlet Mongoose - Bid Replacement Issue: New Bidder Can Replace Existing Bidders with Equal Price but Higher Volume

[sherlock-admin2]

Droll Scarlet Mongoose

Medium

Bid Replacement Issue: New Bidder Can Replace Existing Bidders with Equal Price but Higher Volume

Summary

In Auction.sol::bid(), when a new bid with the same price ratio (reserveAmount:sellCouponAmount) but a higher sellCouponAmount is placed, it can replace existing bids. This occurs even if only a portion of the new bid’s sellCouponAmount matches the replaced bids. The current behavior disregards the fairness of existing bids and may discourage smaller bidders.

Root Cause

https://github.com/sherlock-audit/2024-12-plaza-finance/blob/14a962c52a8f4731bbe4655a2f6d0d85e144c7c2/plaza-evm/src/Auction.sol#L125

The bid replacement logic in Auction.sol::bid() prioritizes bids with higher sellCouponAmount, regardless of whether the price ratio (reserveAmount:sellCouponAmount) remains constant:

As long as the new bid’s sellCouponAmount exceeds existing bids, the system will replace them, even if the price ratio remains identical.

Internal Pre-conditions

•	An auction allows a limited number of bids (e.g., 1000).
•	Existing bids are in place with equal price ratios but smaller volumes.

External Pre-conditions

•	A new bidder places a bid with the same reserveAmount:sellCouponAmount ratio but a higher sellCouponAmount.

Attack Path

No response

Impact

•	Smaller bidders with equivalent price ratios are unfairly displaced by higher-volume bids.
•	This behavior reduces inclusivity and fairness, potentially alienating smaller participants in the auction

PoC

No response

Mitigation

Update the bid evaluation logic to ensure replacement occurs only when the new bid offers a higher price ratio (reserveAmount:sellCouponAmount):