Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Event Emission During Bid Placement Causes Misleading Auction State

yoyi

Incorrect Event Emission During Bid Placement Causes Misleading Auction State

Description

  • The AuctionSettled event should only be emitted when an auction is actually completed and finalized, indicating the final winner and sale price.

  • The placeBid function incorrectly emits the AuctionSettled event during regular bid placement, even though the auction is still ongoing and no settlement has occurred.

function placeBid(uint256 tokenId) external payable isListed(tokenId) {
// ... existing code ...
require(msg.sender != previousBidder, "Already highest bidder");
@> emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value); //Incorrectly emits settlement event during active bidding
// --- Regular Bidding Logic ---
// ... auction continues after this point ...
}

Risk

Likelihood:

  • This occurs on every valid bid placement after the buy-now logic check, affecting all regular auction bidding activity.

  • The event is emitted regardless of whether the auction will continue or end, creating false settlement signals.

  • External monitoring systems and frontend applications will receive incorrect auction state information on every bid.

Impact:

  • Off-chain monitoring systems and indexers will incorrectly interpret ongoing auctions as completed, leading to data inconsistencies.

  • Frontend applications may display incorrect auction status, confusing users about whether auctions are still active.

  • Analytics and reporting tools will show inflated settlement counts and incorrect auction completion data.

Proof of Concept

First we need to make a quick fix in test/BidBeastsMarketPlaceTest.t.sol:BidBeastsNFTMarketTest::setUp()

function setUp() public {
// Deploy contracts
- vm.prank(OWNER);
+ vm.startPrank(OWNER);
nft = new BidBeasts();
market = new BidBeastsNFTMarket(address(nft));
rejector = new RejectEther();
vm.stopPrank();
// Fund users
vm.deal(SELLER, STARTING_BALANCE);
vm.deal(BIDDER_1, STARTING_BALANCE);
vm.deal(BIDDER_2, STARTING_BALANCE);
}

Please add the following test to test/BidBeastsMarketPlaceTest.t.sol:BidBeastsNFTMarketTest:

event AuctionSettled(uint256 tokenId, address winner, address seller, uint256 price);
function testIncorrectEmit() public {
_mintNFT();
_listNFT();
/* ------------------------------ BIDDER_1 bids ----------------------------- */
vm.prank(BIDDER_1);
vm.expectEmit(address(market));
emit AuctionSettled(TOKEN_ID, BIDDER_1, SELLER, MIN_PRICE + 1);
market.placeBid{value: MIN_PRICE + 1}(TOKEN_ID);
}

Then run forge test --mt testIncorrectEmit

Output:

Ran 1 test for test/BidBeastsMarketPlaceTest.t.sol:BidBeastsNFTMarketTest
[PASS] testIncorrectEmit() (gas: 288422)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 836.25µs (92.11µs CPU time

Recommended Mitigation

Remove the incorrect event emission from the placeBid function:

function placeBid(uint256 tokenId) external payable isListed(tokenId) {
// ... existing code ...
require(msg.sender != previousBidder, "Already highest bidder");
- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);
// --- Regular Bidding Logic ---
// ... rest of function ...
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!