Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

### [H-2]: Logic Error - Misplaced Event Emission in `placeBid()`

xylem56

[H-2]: Logic Error - Misplaced Event Emission in `placeBid()`

Severity: High
Impact: Logic Corruption, Off-chain Integration Issues
Likelihood: High

Description:
The AuctionSettled event is incorrectly emitted during regular bidding flow, not when an auction is actually settled.

Vulnerable Code:

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

// ... buy-now logic ...

require(msg.sender != previousBidder, "Already highest bidder");

emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);

// regular bidding logic continues

}

Impact:

Off-chain systems tracking auction settlements will receive false signals
Event logs will show "settled" auctions that are still active
Breaks integration with marketplaces, analytics tools, and user interfaces

Proof of Concept:

// Test scenario showing the logic flow

contract EventLogicTest {

event AuctionSettled(uint256 indexed tokenId, address winner, address seller, uint256 price);

function demonstrateIssue() external {

// User calls placeBid() with regular bid (not buy-now)

// Event AuctionSettled(tokenId, bidder, seller, bidAmount) is emitted

// But auction is NOT settled - it continues running!

// This breaks off-chain systems expecting:

// AuctionSettled = auction is complete and NFT transferred

// Reality: NFT still in marketplace, auction still active

}

Impact Demonstration:

// Off-chain monitoring system (broken by this bug)

marketplace.on('AuctionSettled', (tokenId, winner, seller, price) => {

// System assumes auction is complete

updateUI("Auction Complete - Winner: " + winner);

removeFromActiveAuctions(tokenId);

// But auction is actually still running!

// Users see confusing state where "completed" auctions accept more bids

});

Recommended Mitigation:
Remove the misplaced event emission. AuctionSettled should only be emitted in _executeSale().

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.