Unrestricted Multiple Emissions of AuctionEnded Event
01. Relevant GitHub Links
02. Summary
In the Auction contract, the checkAuctionEnded function emits an AuctionEnded event every time it is called, without access restrictions, once the auction has ended. Any user can call this function repeatedly after endTime, causing the AuctionEnded event to be emitted multiple times. This can mislead off-chain services or users relying on event logs to track the actual end of the auction.
03. Vulnerability Details
The contract code shows that checkAuctionEnded only checks if block.timestamp >= state.endTime and, if true, immediately emits the AuctionEnded event:
Because there is no other limitation (like a state change or an access control check), anyone can keep calling this function once the auction has ended. The same AuctionEnded event can therefore be logged repeatedly, potentially confusing participants or observers.
Additionally, the contract does not emit the AuctionEnded event automatically when the auction finishes, relying solely on this externally callable function.
04. Impact
Repeated emissions of the same AuctionEnded event can clutter logs and mislead event-based automated tasks or indexers.
Off-chain services (e.g., auction trackers, data indexers) and users may falsely interpret multiple logs as multiple conclusion events.
05. Tools Used
Manual Code Review and Foundry
06. Recommended Mitigation
Restrict the checkAuctionEnded function to emit the event only once.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.