Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Misplaced auction settled event creates misleading blockchain logs

anchabadze

Description:

The placeBid() function contains a misplaced AuctionSettled event emission that occurs during regular bid placement rather than actual auction completion. This event is emitted outside the buy-now logic block, causing it to fire every time a user places a regular bid, not when an auction is actually settled. This creates false auction completion records on the blockchain and can mislead off-chain systems, analytics tools, and users monitoring auction activities.

_executeSale()contains emit AuctionSettled(tokenId, bid.bidder, listing.seller, bid.amount);

Attack path:

User calls placeBid(tokenId) with a regular bid amount (not triggering buy-now logic)
The function passes initial validation checks
AuctionSettled event is incorrectly emitted with bid details before the bid is actually processed
Off-chain systems record this as a completed auction when it's actually just a bid placement
The auction continues normally with the bid being placed
When the auction actually ends via settleAuction() or takeHighestBid(), another AuctionSettled event is emitted from _executeSale()
This results in duplicate and misleading auction settlement records for the same auction

Impact:

Blockchain logs contain false auction completion records

Analytics dashboards, indexers, and monitoring tools receive incorrect data

Frontend applications may display incorrect auction status information

Recommended Mitigation:

Remove the misplaced AuctionSettled event emission from the regular bidding flow:

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

Listing storage listing = listings[tokenId];

address previousBidder = bids[tokenId].bidder;

uint256 previousBidAmount = bids[tokenId].amount;

require(listing.seller != msg.sender, "Seller cannot bid");

require(listing.auctionEnd == 0 || block.timestamp < listing.auctionEnd, "Auction ended");

// --- Buy Now Logic ---

if (listing.buyNowPrice > 0 && msg.value >= listing.buyNowPrice) {

uint256 salePrice = listing.buyNowPrice;

Updates

Lead Judging Commences

cryptoghost Lead Judge 27 days ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.