Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Premature Emission Of Auction Settled Event Causing Misleading Logs And Unreliable Audit Trail

fawarano

Premature Emission Of Auction Settled Event Causing Misleading Logs And Unreliable Audit Trail

Description

  • Normally, the AuctionSettled event should only be emitted after an auction is fully finalized, meaning the winner is determined, funds are transferred, and the NFT ownership is updated.

  • In the current implementation, AuctionSettled is emitted prematurely, before any settlement logic occurs. This generates misleading logs that make it appear as if the auction has concluded, when in reality it is still ongoing.

// Root cause in the codebase
require(msg.sender != previousBidder, "Already highest bidder");
@> emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value); // emitted before auction is settled

Risk : Medium

Likelihood:

  • Any time a bidder places a bid while not being the previous highest bidder, this line executes and emits the event

  • This will occur on every new bid placement before settlement, meaning all auctions with active bidding are affected.

Impact:

  • Off-chain services, indexers, or frontends may display false auction finalization, misleading users and automated bots.

  • The audit trail of the contract is compromised, which could be exploited by malicious actors to create confusion or attempt double-selling scenarios.

Proof of Concept

Here’s a clearer explanation of the proof of concept:

  1. Setup the marketplace: Deploy the NFT marketplace contract and mint an NFT to a seller account. The seller owns the NFT and is ready to list it.

  2. List the NFT: The seller lists the NFT with a minimum bid price (and optionally a Buy Now price). At this point, the auction has started but no bids have been finalized yet.

  3. Place the first bid: A bidder places a bid higher than the minimum price. Normally, the auction is still ongoing, and no final settlement should occur.

  4. Premature event emission: Despite the auction not being finalized, the contract emits the AuctionSettled event. This gives the false impression that the auction has ended and the bidder has won, even though no NFT transfer or payment settlement has occurred yet.

  5. Observe off-chain impact: Any front-end, analytics tool, or bot listening to events will see the AuctionSettled log and incorrectly assume the auction is complete. This can lead to confusion, misleading UI data, or automated actions based on incorrect assumptions.

In short: the event signals completion too early, while the auction is still active, creating a mismatch between on-chain state and the logs.

function test_wrong_event_emission() public {
// 1. Deploy marketplace and mint NFT to seller
uint256 tokenId = nft.mint(SELLER);
// 2. Seller lists the NFT
vm.prank(SELLER);
market.listNFT(tokenId, 1 ether, 5 ether);
// 3. First bidder places a bid
vm.prank(BIDDER_1);
market.placeBid{value: 1.5 ether}(tokenId);
// 4. Observe logs: AuctionSettled is emitted even though the auction is not finalized
// Logs will show: AuctionSettled(tokenId, BIDDER_1, SELLER, 1.5 ether)
// This demonstrates misleading event emission before settlement
}

Recommended Mitigation

To mitigate this issue, ensure that the AuctionSettled event is only emitted after the auction has been fully finalized, including determining the winner, transferring the NFT, and handling payments.

- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);
Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.