Root + Impact

Description

• Normal behavior: The BidBeastsNFTMarket::AuctionSettled event should only be emitted when an auction is finalized — i.e., after settlement logic is executed, the auction state is updated, and all asset and fund transfers have succeeded.

• Issue: In the current implementation, BidBeastsNFTMarket::placeBid() emits BidBeastsNFTMarket::AuctionSettled immediately after recording a bid. This is misleading because the auction is still ongoing and settlement has not taken place. As a result, off-chain services (marketplace UIs, indexers, analytics, or bots) may incorrectly interpret the auction as closed, even though it is still active.

Risk

Likelihood:

• This will occur every time a bid is placed, since the event is always emitted inside BidBeastsNFTMarket::placeBid().

• Off-chain systems and frontends often rely solely on events for synchronization, meaning the misleading event will frequently cause incorrect interpretations.

Impact:

• Users and UIs may treat the auction as finished, preventing further bids and reducing competitive price discovery.

• Indexers, bots, and analytics platforms may log incorrect winner/price data, leading to inconsistencies with the actual final settlement.

Proof of Concept

1. A seller lists an item for auction.

2. A bidder calls BidBeastsNFTMarket::placeBid() with a valid bid.

3. The contract emits BidBeastsNFTMarket::AuctionSettled, even though the auction remains active.

4. An off-chain marketplace UI displays the auction as closed and disables bidding.

5. The seller loses potential higher bids and the auction outcome is misrepresented.

This demonstrates that emitting BidBeastsNFTMarket::AuctionSettled in BidBeastsNFTMarket::placeBid() directly misleads off-chain logic and negatively affects the integrity of the auction process.

Recommended Mitigation

The premature event emission should be removed. BidBeastsNFTMarket::AuctionSettled should only be emitted from the actual auction settlement function after successful completion.