Misleading Event Emission in placeBid Function Causes False Auction Settlement Logs
Root + Impact
Description
-
Normal behavior:
TheAuctionSettledevent should only be emitted after an auction is successfully settled, meaning the NFT has been transferred to the winner and funds distributed to the seller. -
Issue:
In theplaceBidfunction, theAuctionSettledevent is emitted during the bidding phase. This is misleading because the auction has not ended, and no settlement has occurred at that point.
Risk
Likelihood:
Occurs every time a bid is placed after the "already highest bidder" check passes.
Triggers consistently in normal bidding flows.
Impact:
Off-chain services (marketplace UIs, analytics, explorers) will incorrectly assume the auction has been settled.
Proof of Concept
Call the
placeBidfunction with a valid bid:market.placeBid{value: 1 ether}(123).The contract emits the event:
AuctionSettled(123, bidderAddress, sellerAddress, 1 ether).Observers reading events will conclude the auction was settled and the NFT transferred.
Actual contract state after the call: the auction is still active (not ended).
The NFT remains held in the marketplace escrow (no transfer occurred).
No funds/seller settlement has been performed — the emitted event is misleading.
Recommended Mitigation
Lead Judging Commences
BidBeasts Marketplace: Incorrect Event Emission
placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.