Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Wrong Event Emission Misleads Off-Chain Systems

pxlvre

High: Wrong Event Emission Misleads Off-Chain Systems

Description

The placeBid() function should emit BidPlaced events for regular bids and AuctionSettled events only when auctions are finalized.
The function incorrectly emits AuctionSettled event for every regular bid, before the actual bid logic executes, causing confusion in event monitoring systems.

// Regular bidding section

require(msg.sender != previousBidder, "Already highest bidder");

emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value); // @> Wrong event! Should be BidPlaced

// ... bid logic continues after event emission ...

Risk

Likelihood:

Occurs on every regular bid that isn't a buy-now purchase
Happens whenever the bidding continues past the initial checks

Impact:

Off-chain systems receive false settlement notifications
Analytics and monitoring tools show incorrect auction states
Users may think auctions are settled when they're still active

Proof of Concept

This test shows how the incorrect event emission confuses off-chain monitoring systems. The AuctionSettled event is emitted for regular bids, making it appear as if the auction has ended when it's actually still ongoing.

function test_WrongEventEmission() public {

// Setup auction

_mintNFT();

_listNFT();

// Monitor events

vm.expectEmit(true, true, true, true);

emit AuctionSettled(TOKEN_ID, BIDDER_1, SELLER, 2 ether); // This shouldn't be emitted!

vm.expectEmit(true, true, true, true);

emit BidPlaced(TOKEN_ID, BIDDER_1, 2 ether); // This should be the only event

// Place a regular bid (not buy-now)

vm.prank(BIDDER_1);

market.placeBid{value: 2 ether}(TOKEN_ID);

// Verify auction is still active

BidBeastsNFTMarket.Listing memory listing = market.getListing(TOKEN_ID);

assertTrue(listing.listed, "Auction should still be active");

assertTrue(listing.auctionEnd > block.timestamp, "Auction should not be ended");

// Off-chain systems see AuctionSettled and think it's over

// But the auction is actually still running for 15 more minutes!

}

Recommended Mitigation

Remove the incorrect AuctionSettled event emission from the regular bidding flow. This event should only be emitted in _executeSale() when the auction actually settles. The BidPlaced event at line 176 correctly indicates a new bid has been placed.

// In placeBid() function, around line 143:

require(msg.sender != previousBidder, "Already highest bidder");

- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);

// The correct BidPlaced event is already emitted later at line 176:

// emit BidPlaced(tokenId, msg.sender, msg.value); ✓ Keep this

// AuctionSettled is correctly emitted in _executeSale() at line 221:

// emit AuctionSettled(tokenId, bid.bidder, listing.seller, bid.amount); ✓ Keep this

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!