Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

[M-1] Incorrect AuctionSettled Event Emitted on New Bid

cosminmarian53

Incorrect AuctionSettled Event Emitted on New Bid, leads to displaying wrong data to off-chain services

Description

  • The contract should emit events that accurately reflect the actions being taken. BidPlaced should be emitted for new bids, and AuctionSettled for the final sale.

  • The placeBid function incorrectly emits an AuctionSettled event when a new regular bid is made. This provides misleading data to off-chain services and UIs, suggesting an auction has concluded when it is still active.

// src/BidBeastsNFTMarketPlace.sol
require(msg.sender != previousBidder, "Already highest bidder");
// @> Incorrect event is emitted here, should be `BidPlaced`.
emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);
// --- Regular Bidding Logic ---

Risk

Likelihood: High

  • This incorrect event is emitted for every non-buy-now bid placed on any auction.

Impact: Low

  • Funds are not at risk.

  • The state of the contract is handled incorrectly from an events perspective, disrupting off-chain monitoring and potentially confusing users.

Proof of Concept

The following test should prove that, the event is emitted wrongfully. Add it to BidBeastsMarketPlaceTest.t.sol:

function test_event_emitted_on_regular_bid() public {
// Setup: Mint and list NFT
_mintNFT();
_listNFT();
// Place a regular bid (not buy-now)
vm.prank(BIDDER_1);
vm.recordLogs();
market.placeBid{value: MIN_PRICE + 1}(TOKEN_ID);
Vm.Log[] memory entries = vm.getRecordedLogs();
bool foundAuctionSettled = false;
bool foundBidPlaced = false;
bytes32 auctionSettledSig = keccak256("AuctionSettled(uint256,address,address,uint256)");
bytes32 bidPlacedSig = keccak256("BidPlaced(uint256,address,uint256)");
for (uint256 i = 0; i < entries.length; i++) {
if (entries[i].topics.length > 0) {
if (entries[i].topics[0] == auctionSettledSig) {
foundAuctionSettled = true;
}
if (entries[i].topics[0] == bidPlacedSig) {
foundBidPlaced = true;
}
}
}
assertTrue(foundAuctionSettled, "AuctionSettled event should NOT be emitted for a regular bid");
assertTrue(foundBidPlaced, "BidPlaced event should be emitted for a regular bid");
}

Recommended Mitigation

Remove the event emission from placeBid and move it to settleAuction where it should be:

// src/BidBeastsNFTMarketPlace.sol
require(msg.sender != previousBidder, "Already highest bidder");
- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);
// --- Regular Bidding Logic ---
....
}
...
function settleAuction(uint256 tokenId) external isListed(tokenId) {
//settle auction logic here
...
_executeSale(tokenId);
// this is where the event should be emitted
+ emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);
Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!