Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Misleading Event Emission in placeBid Function

objectplayer

Root + Impact

Description

The normal behavior of events is to accurately represent the state changes occurring in a smart contract. In this case, AuctionSettled should only be emitted when an auction is actually settled.
The specific issue is that the AuctionSettled event is incorrectly emitted during the regular bidding process in the placeBid function, despite the auction not being settled at that point.

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

// ...

require(msg.sender != previousBidder, "Already highest bidder");

emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value); @> // Auction has not been settled here

// --- Regular Bidding Logic ---

// ...

}

Risk

Likelihood: High

This issue occurs on every bid placed that is not a buy-now bid and not from the previous highest bidder.
The incorrect event emission happens consistently with normal usage of the contract.

Impact: Low

Off-chain systems monitoring these events will receive incorrect signals that auctions have been settled when they have not.
This can lead to misleading analytics, incorrect user notifications, and confusion for users and developers.
No direct financial loss occurs, but it impacts the reliability of the contract's event logging system.

Proof of Concept

The issue can be easily verified by examining the contract's event emissions during bidding:

async function demonstrateIncorrectEventEmission() {

// Setup: Deploy contracts, mint NFT, list for auction

const nft = await BidBeasts.deploy();

const marketplace = await BidBeastsNFTMarket.deploy(nft.address);

const tokenId = await nft.mint(seller.address);

await nft.connect(seller).approve(marketplace.address, tokenId);

await marketplace.connect(seller).listNFT(tokenId, ethers.utils.parseEther("1.0"), ethers.utils.parseEther("3.0"));

// Listen for AuctionSettled events

const settledEvents = [];

marketplace.on("AuctionSettled", (tokenId, winner, seller, price) => {

settledEvents.push({ tokenId, winner, seller, price });

});

// User places a regular bid (not a buy-now)

await marketplace.connect(bidder).placeBid(tokenId, { value: ethers.utils.parseEther("1.1") });

// Wait for events to be processed

await new Promise(resolve => setTimeout(resolve, 1000));

console.log("AuctionSettled events emitted:", settledEvents.length);

console.log("Is the auction actually settled?", await isAuctionSettled(marketplace, tokenId));

// Helper function to check if auction is actually settled

async function isAuctionSettled(marketplace, tokenId) {

const listing = await marketplace.getListing(tokenId);

return !listing.listed; // If listing.listed is false, the auction is settled

}

// Expected output:

// AuctionSettled events emitted: 1

// Is the auction actually settled? false

This demonstrates that:

When a regular bid is placed, an AuctionSettled event is emitted.
However, the auction is not actually settled at this point (it's still listed and accepting bids).
This creates a discrepancy between the emitted events and the actual contract state.

Consumers of these events (like frontend applications or analytics tools) will incorrectly interpret that auctions are being settled when they're merely receiving bids.

Recommended Mitigation

function placeBid(uint256 tokenId) external payable isListed(tokenId) {

// ...

require(msg.sender != previousBidder, "Already highest bidder");

- emit AuctionSettled(tokenId, msg.sender, listing.seller, msg.value);

// --- Regular Bidding Logic ---

// ...

}

This simple change:

Accurate Event Emission: Removes the incorrect event emission, ensuring that AuctionSettled is only emitted when an auction is actually settled (as it properly is in the _executeSale function).
Consistent State Representation: Makes the contract's events accurately represent the contract's state changes, improving the reliability of the event system.
Off-chain Integration: Ensures that systems monitoring these events receive accurate signals about auction settlements.
Documentation: If there was a specific reason for this event emission, it should be documented clearly or a more appropriately named event should be used.

By making this change, the contract will maintain consistency between its state and events, leading to more reliable integrations and a better user experience for systems that rely on these events for notifications or data analysis.

Updates

Lead Judging Commences

cryptoghost Lead Judge 30 days ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.