Incorrect Event Emission in `placeBid` Causes Premature Auction Settlement Signals
Description
In the current implementation of placeBid, the contract emits the AuctionSettled event before the auction is actually settled.
The event AuctionSettled should only be emitted once the auction ends and the highest bidder wins, not when a new bid is placed. Emitting it prematurely misleads off-chain services into treating the auction as finalized.
The correct event to emit in this context is BidPlaced.
Risk and Impact
-
Incorrect State Tracking: Off-chain services (indexers, marketplaces, or frontends) will wrongly interpret the auction as closed.
-
Premature Settlement Signals: Marketplaces and bots could act on this event, marking items as sold before the auction is actually complete.
Severity: Low – while the core auction logic on-chain remains intact, off-chain systems will desynchronize, leading to potential financial or reputational issues.
PoC
Scenario:
Auction is ongoing for
tokenId101.A user places a new bid via
placeBid.Instead of emitting
BidPlaced, the contract emits:
4.Indexers, explorers, or frontends will now wrongly record this auction as settled, even though it is still active on-chain.
Recommended Mitigation
Remove AuctionSettled event from placeBid function:
Lead Judging Commences
BidBeasts Marketplace: Incorrect Event Emission
placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.