Improper Emission of AuctionSettled Event Within Bidding Function
Root + Impact
Description
-
In normal behavior, the
AuctionSettledevent is emitted after an auction has been finalized — meaning the NFT is transferred and funds have been paid out.
However, the contract emits the AuctionSettled event prematurely inside the placeBid() function, even before validating the bid amount, updating the highest bid, or refunding the previous bidder. This can lead off-chain systems (such as indexers or frontends) to falsely assume the auction has ended and the NFT has been settled.
Risk
Likelihood:
Occurs every time a bidder who is not the previous highest bidder calls
placeBid, regardless of whether their bid amount satisfies the required minimum bid.
Impact:
Off-chain systems monitoring
AuctionSettledevents may incorrectly believe a bid was accepted or an auction was settled when in fact the transaction failed.
Recommended Mitigation
Since _executeSale() already emits the AuctionSettled event when an auction actually settles, emitting it prematurely inside placeBid() (before validation and state changes) is redundant and misleading.
Lead Judging Commences
BidBeasts Marketplace: Incorrect Event Emission
placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.