Priorities in dealing with deadbeat buyers, IMHO:
1. Penalize the deadbeat. If a person made a very rare but accidental mistake, like added an extra digit to their bid, then a warning is fine to ensure they take better care when bidding in the future. Mistakes can happen. I can see where people might accidentally bid on the wrong domain, but the systems in place should help ensure that doesn't happen to anyone paying attention. And they should be banned from the auction system for a week just to get their attention. But if their bidding pattern was that they bid incrementally (therefore obviously not an accident), like $500, then $550, then $600, etc. and they decide not to pay, then there should be no mercy. I'd put in the terms of service that at your discretion you will automatically bill their credit card for a 25% penalty of their bid price as a penalty for reneging - and I wouldn't take bids from them unless there is a valid credit card on file. If you take bids from someone that doesn't offer up a valid payment method, then that's on you and you shouldn't have allowed them into the auction system without it, otherwise you're just letting those people ruin the integrity of the system. Serious consequences will ensure people don't make "mistakes". You're a business, not the liberal gov't - actions should have consequences.
2. As a courtesy, I believe that ROFR should go to the original 2nd highest bidder at their highest bid. That is fair (presuming you know the second highest bidder isn't likely working in conjunction with the top bidder, i.e. two brand new accounts with no histories of winning bids). But if they pull a Rick Schwartz and claim they shouldn't even pay that price because of the fake bidder, then just tell them it was offered simply as a courtesy but not an obligation, and that since they've turned the courtesy offer down, then policy dictates that the domain will move on to a full re-auction. Obviously you would need to give time to decide, but that time should end prior to the next auction cycle (so it can be re-auctioned).
3. As for the auction itself, I see two viable options:
a) a dutch auction where the price starts at the defaulted bidders price and decends by small increments at regular intervals until a buyer accepts the price. In this scenario, anyone actually wanting the domain might be willing to just pay the price of the bad bid or face losing it as the price drops. This would limit the seller's upside to the original bid, but it might also limit the downside by the FOMO effect on the other bidders.
b) a regular full re-auction open to any bidder. I count myself among those that often enter an auction late in the process, so a high bid that was false might have kept me out of an auction - this is why it is important to include any bidder, not just previous bidders.
The realities of the KISS principle will likely dictate that you'll do option b) and not option a)
4. As for auction timing, back to the KISS principle, you should probably just include it in the next auction cycle and flag it with a re-auction symbol, but otherwise treated like any other domain.
