Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect Placement of AuctionSettled Event Emission Leads to Misleading Auction Status

ratt13snak3

Incorrect Placement of AuctionSettled Event Emission Leads to Misleading Auction Status

Description

Normally, the AuctionSettled event should only be emitted once an auction has concluded, i.e the NFT has been successfully transferred to the winning bidder and payment has been distributed to the seller.
In the current implementation, the AuctionSettled event is emitted immediately when a new bid is placed. At this point, the auction is still active, the NFT remains with the seller, and funds have not yet been distributed. This results in off-chain systems receiving false signals about the auction’s state. in BidBeastsNFTMarket.

require(msg.sender != previousBidder, "Already highest bidder");

emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value); // @> wrongly emitted here, not at auction settlement

Risk

Likelihood:

Every time a bid is placed, the AuctionSettled event is emitted incorrectly.
Off-chain applications, including dApps, marketplaces, and block explorers, will routinely interpret bids as completed auctions.

Impact:

Users and dApps may believe auctions are finalized prematurely, leading to confusion or erroneous actions based on false event data.
Analytics platforms and marketplace integrations may display incorrect auction outcomes, undermining trust in the system.

Proof of Concept

// User places a bid, and AuctionSettled is emitted immediately

// even though the auction is ongoing and settlement has not occurred.

placeBid(tokenId);

// Expected: AuctionSettled emitted only when auction ends and NFT is transferred.

// Actual: AuctionSettled emitted during bidding phase.

Recommended Mitigation

The AuctionSettled event should only be emitted inside the settlement logic, after both the NFT transfer and payment distribution have occurred.

require(msg.sender != previousBidder, "Already highest bidder");

- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!