New bid events are dispatched with the incorrect amount potentially leading to accounting errors by services that listen for these events.
Description
When a bidder bids an amount an event is dispatched from the bid function, as you can see below. The issue is that the value of self.highest_bid.read() is the previous highest bid which is probably not bid by the sender as it's unlikely they'd bid against their own previous bid. If these events are used in any meaningful way, such as for refund approvals, the accounting will be incorrect and the wrong values will be used.
Note: The Known Issues state:
We can assume that the approval of the ERC721 and ERC20 tokens is done before the transfer.
Therefore it's not unreasonable to assume these events may be used in a meaningful way by external services.
Impact
Incorrect events dispatched may lead to external or off-chain accounting errors.
Recommended mitigation
Emit the event after the highest_bid storage variable has been updated.
Tools Used
Manual Review
Lead Judging Commences
Incorrectly emitted parameter in `NewHighestBid` event
The `bid` function emits `NewHighestBid` event with wrong parameter. The `amount` parameter is `self.highest_bid.read()` that is called before the update of the `highest_bid` variable.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.