Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Premature AuctionSettled emit on bid misleads indexers and UIs

emfarih

Root + Impact

Description

Normal behavior: The AuctionSettled event should only be emitted when the auction has truly finalized — meaning the NFT has been transferred to the winning bidder and the seller has received payment.
Issue: In the placeBid function, the AuctionSettled event is emitted immediately upon a bid being placed, before the auction is actually finalized. This causes off-chain services (indexers, explorers, dashboards) to falsely record completed sales even though the auction is still active.

require(msg.sender != previousBidder, "Already highest bidder");

@> emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value); // emitted prematurely during bidding

Risk

Likelihood:

This occurs every time a user places a bid in an active auction.
Any auction with at least one bid will generate this misleading event.

Impact:

Off-chain systems such as UIs, explorers, or analytics platforms will record false “sale completed” events, corrupting history.
Automated business processes (accounting, notifications, webhooks) may be triggered prematurely, causing confusion or errors.

Proof of Concept

// Scenario:

// 1. Seller lists tokenId 0 with minPrice = 0.01 ETH.

// 2. A bidder calls placeBid(0) with 0.02 ETH.

// Expected outcome:

// - Auction remains active

// - Highest bid updates to 0.02 ETH

// - Auction end time extended

// - No AuctionSettled event until finalization

// Actual outcome:

// - AuctionSettled(0, bidder, seller, 0.02 ETH) emitted immediately

// - Off-chain systems believe the auction has closed and the NFT is sold

// - NFT remains escrowed, auction is ongoing

The event misrepresents state. Off-chain systems trust events more
than storage, so this creates a false “sold” record and breaks UX/business logic.

Recommended Mitigation

- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);

+ // Remove this premature emission.

+ // Only emit AuctionSettled inside the finalization logic (_executeSale),

+ // after the NFT transfer and payouts are complete.

By moving AuctionSettled to the finalization function (_executeSale), the event will only be emitted when the auction actually ends — either via takeHighestBid, settleAuction, or buy-now logic. This ensures that on-chain events always reflect true auction state, keeping off-chain consumers consistent with the real outcome.

Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.