Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

[M-4] The `BidBeastsNFTMarket::placeBid` function emits the `AuctionSettled` event on any bid placement, causing misinformation and confusion for users.

alexscherbatyuk

The `BidBeastsNFTMarket::placeBid` function emits the `AuctionSettled` event on any bid placement, causing misinformation and confusion for users.

Description

The BidBeastsNFTMarket::placeBid function emits the AuctionSettled event on any bid placement, while it should only be emitted if the bid equals or is greater than _buyNowPrice. The event
Inaccurate information and confusion for users and decentralized applications (dapps) that depend on the protocol's logs.

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

...

require(msg.sender != previousBidder, "Already highest bidder");

//@> emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);

// --- Regular Bidding Logic ---

uint256 requiredAmount;

...

emit BidPlaced(tokenId, msg.sender, msg.value);

}

Risk

Likelihood: High

This event emission occurs on each valid bid.
No specific condition.

Impact: Low

Inaccurate information for users.
Confusion for users’ decentralized applications (dapps) that depend on the protocol’s logs

Proof of Concept

Add the following code snippet to the `BidBeastsMarketPlaceTest.t.sol` test file.

event AuctionSettled(uint256 tokenId, address winner, address seller, uint256 price);

function testPlaceBidEmitsAuctionSettledOnAnyBid() public {

uint256 S_MIN_BID_INCREMENT_PERCENTAGE = 5;

uint256 firstBidAmount = MIN_PRICE + 1;

uint256 secondBidAmount = firstBidAmount + (firstBidAmount * S_MIN_BID_INCREMENT_PERCENTAGE) / 100;

_mintNFT();

_listNFT();

vm.prank(BIDDER_1);

vm.expectEmit(true, true, true, true, address(market));

emit AuctionSettled(TOKEN_ID, BIDDER_1, SELLER, MIN_PRICE + 1);

market.placeBid{value: MIN_PRICE + 1}(TOKEN_ID);

vm.prank(BIDDER_2);

vm.expectEmit(true, true, true, true, address(market));

emit AuctionSettled(TOKEN_ID, BIDDER_2, SELLER, secondBidAmount);

market.placeBid{value: secondBidAmount}(TOKEN_ID);

}

Recommended Mitigation

Remove the `AuctionSettled` event emission from the `BidBeastsNFTMarket::placeBid` function.

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

...

require(msg.sender != previousBidder, "Already highest bidder");-

- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);

// --- Regular Bidding Logic ---

uint256 requiredAmount;

...

emit BidPlaced(tokenId, msg.sender, msg.value);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.