Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Event Emission During Bid Placement Causes Misleading Auction State

yoyi

Incorrect Event Emission During Bid Placement Causes Misleading Auction State

Description

  • The AuctionSettled event should only be emitted when an auction is actually completed and finalized, indicating the final winner and sale price.

  • The placeBid function incorrectly emits the AuctionSettled event during regular bid placement, even though the auction is still ongoing and no settlement has occurred.

function placeBid(uint256 tokenId) external payable isListed(tokenId) {
// ... existing code ...
require(msg.sender != previousBidder, "Already highest bidder");
@> emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value); //Incorrectly emits settlement event during active bidding
// --- Regular Bidding Logic ---
// ... auction continues after this point ...
}

Risk

Likelihood:

  • This occurs on every valid bid placement after the buy-now logic check, affecting all regular auction bidding activity.

  • The event is emitted regardless of whether the auction will continue or end, creating false settlement signals.

  • External monitoring systems and frontend applications will receive incorrect auction state information on every bid.

Impact:

  • Off-chain monitoring systems and indexers will incorrectly interpret ongoing auctions as completed, leading to data inconsistencies.

  • Frontend applications may display incorrect auction status, confusing users about whether auctions are still active.

  • Analytics and reporting tools will show inflated settlement counts and incorrect auction completion data.

Proof of Concept

First we need to make a quick fix in test/BidBeastsMarketPlaceTest.t.sol:BidBeastsNFTMarketTest::setUp()

function setUp() public {
// Deploy contracts
- vm.prank(OWNER);
+ vm.startPrank(OWNER);
nft = new BidBeasts();
market = new BidBeastsNFTMarket(address(nft));
rejector = new RejectEther();
vm.stopPrank();
// Fund users
vm.deal(SELLER, STARTING_BALANCE);
vm.deal(BIDDER_1, STARTING_BALANCE);
vm.deal(BIDDER_2, STARTING_BALANCE);
}

Please add the following test to test/BidBeastsMarketPlaceTest.t.sol:BidBeastsNFTMarketTest:

event AuctionSettled(uint256 tokenId, address winner, address seller, uint256 price);
function testIncorrectEmit() public {
_mintNFT();
_listNFT();
/* ------------------------------ BIDDER_1 bids ----------------------------- */
vm.prank(BIDDER_1);
vm.expectEmit(address(market));
emit AuctionSettled(TOKEN_ID, BIDDER_1, SELLER, MIN_PRICE + 1);
market.placeBid{value: MIN_PRICE + 1}(TOKEN_ID);
}

Then run forge test --mt testIncorrectEmit

Output:

Ran 1 test for test/BidBeastsMarketPlaceTest.t.sol:BidBeastsNFTMarketTest
[PASS] testIncorrectEmit() (gas: 288422)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 836.25µs (92.11µs CPU time

Recommended Mitigation

Remove the incorrect event emission from the placeBid function:

function placeBid(uint256 tokenId) external payable isListed(tokenId) {
// ... existing code ...
require(msg.sender != previousBidder, "Already highest bidder");
- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);
// --- Regular Bidding Logic ---
// ... rest of function ...
}
Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.