Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect Event Emission in function placeBid

niko24561

Description

The placeBid function in BidBeastsNFTMarket contract incorrectly emits the AuctionSettled event during regular bidding instead of when the auction actually settles.

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

// ... bidding logic ...

require(msg.sender != previousBidder, "Already highest bidder");

emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value); // INCORRECT

// ... more bidding logic ...

}

Risk

Severity: Medium

Likelihood: High - This occurs on every regular bid placement

Impact:

Off-chain systems receive false settlement notifications
Frontend applications may show "Auction Complete" incorrectly
Users monitoring events think auctions have ended prematurely
Automated systems might stop bidding due to false completion signals
Event logs become unreliable for tracking actual settlements

Proof of Concept

The following test function demonstrates the vulnerability exists and passes successfully:

function test_incorrectEventEmission_AuctionSettledDuringBidding() public {

_mintNFT();

_listNFT();

// Place first bid to start auction (must be > min price)

vm.prank(BIDDER_1);

market.placeBid{value: MIN_PRICE + 0.1 ether}(TOKEN_ID);

uint256 secondBidAmount = MIN_PRICE * 120 / 100;

// Expect the INCORRECT AuctionSettled event when placing a regular bid

// This proves the vulnerability exists - AuctionSettled should NOT be emitted here

vm.expectEmit(true, true, true, true, address(market));

emit AuctionSettled(TOKEN_ID, BIDDER_2, SELLER, secondBidAmount);

// Place second bid - this should emit BidPlaced, NOT AuctionSettled

vm.prank(BIDDER_2);

market.placeBid{value: secondBidAmount}(TOKEN_ID);

// Auction should still be active (not settled)

BidBeastsNFTMarket.Listing memory listing = market.getListing(TOKEN_ID);

assertTrue(listing.listed, "Auction should still be active");

assertTrue(listing.auctionEnd > block.timestamp, "Auction should not have ended");

// This test proves that AuctionSettled event is incorrectly emitted

// during regular bidding, misleading off-chain systems

}

Test Results: PASS - This confirms the vulnerability

[PASS] test_incorrectEventEmission_AuctionSettledDuringBidding() (gas: 320082)

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.99ms (411.00µs CPU time)

Impact demonstration:

Test expects AuctionSettled event during regular bidding and succeeds
Auction remains active (listing.listed = true)
Auction timer continues (auctionEnd > block.timestamp)
Off-chain systems receive false settlement notification while auction is ongoing

Recommended Mitigation

Replace the incorrect event emission with the appropriate BidPlaced event:

- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);

+ emit BidPlaced(tokenId, msg.sender, msg.value);

The AuctionSettled event should only be emitted in _executeSale() when the auction actually completes.

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!