Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Lack of Indexing in Marketplace Events Leads to Poor Event Queryability

ratt13snak3

Lack of Indexing in Marketplace Events Leads to Poor Event Queryability

Description

Normally, Solidity events should use the indexed keyword on key parameters such as addresses and token IDs. This allows external systems like dApps, analytics tools, and block explorers to efficiently filter and search events.

In the current implementation of BidBeastsNFTMarket, none of the marketplace events are indexed. This omission prevents users and developers from filtering events by seller, bidder, or token ID, reducing transparency and usability.

event NftListed(uint256 tokenId, address seller, uint256 minPrice, uint256 buyNowPrice); // @> no indexed parameters

event NftUnlisted(uint256 tokenId); // @> no indexed parameters

event BidPlaced(uint256 tokenId, address bidder, uint256 amount); // @> no indexed parameters

event AuctionExtended(uint256 tokenId, uint256 newDeadline); // @> no indexed parameters

event AuctionSettled(uint256 tokenId, address winner, address seller, uint256 price); // @> no indexed parameters

event FeeWithdrawn(uint256 amount);

Risk

Likelihood:

Every time an event is emitted, it cannot be efficiently filtered by token ID, seller, or bidder.
Off-chain services and analytics platforms will face increased difficulty in tracking user-specific or token-specific activity.

Impact:

Reduced usability for dApps, explorers, and analytics platforms.
Users cannot easily query their own activity history or NFT transaction records.

Proof of Concept

// Example: fetching BidPlaced events for a given bidder is not possible

// without iterating through all logs manually due to missing indexed fields.

BidPlaced(1234, 0xABCD..., 1 ether);

BidPlaced(5678, 0xABCD..., 2 ether);

Recommended Mitigation

Add indexed to key parameters in each event. For example:

- event NftListed(uint256 tokenId, address seller, uint256 minPrice, uint256 buyNowPrice);

+ event NftListed(uint256 indexed tokenId, address indexed seller, uint256 minPrice, uint256 buyNowPrice);

- event NftUnlisted(uint256 tokenId);

+ event NftUnlisted(uint256 indexed tokenId);

- event BidPlaced(uint256 tokenId, address bidder, uint256 amount);

+ event BidPlaced(uint256 indexed tokenId, address indexed bidder, uint256 indexed amount);

- event AuctionExtended(uint256 tokenId, uint256 newDeadline);

+ event AuctionExtended(uint256 indexed tokenId, uint256 indexed newDeadline);

- event AuctionSettled(uint256 tokenId, address winner, address seller, uint256 price);

+ event AuctionSettled(uint256 indexed tokenId, address indexed winner, address indexed seller, uint256 price);

event FeeWithdrawn(uint256 amount); // no need to index

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!