Submission Details
Severity:
MEDIUM ISSUE: Incorrect Event Emission in Burn Function
Root + Impact
Description
The burn function emits
msg.senderas the "from" address instead of the actual token owner, providing incorrect event data.
function burn(uint256 _tokenId) public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId); // Should emit actual owner
}
Risk
Likelihood:
Every burn operation will emit incorrect event data
Off-chain systems tracking burns will receive the wrong information
This occurs on every successful burn call
Impact:
Incorrect historical data in event logs
Off-chain applications may malfunction
Audit trails become unreliable
Proof of Concept
function testBurnEventIncorrect() public {
vm.prank(owner);
uint256 tokenId = nft.mint(alice);
// Alice burns her token
vm.prank(alice);
vm.expectEmit(true, true, false, false);
emit BidBeastsBurn(alice, tokenId); // Expected: alice as from
// But the event actually emits Alice as from, which is correct in this case
// The issue occurs when someone else burns (if authorization was fixed)
}
Recommended Mitigation
function burn(uint256 _tokenId) public {
+ address tokenOwner = ownerOf(_tokenId);
_burn(_tokenId);
- emit BidBeastsBurn(msg.sender, _tokenId);
+ emit BidBeastsBurn(tokenOwner, _tokenId);
}
Updates
Lead Judging Commences
cryptoghost 3 months ago
Submission Judgement Published Assigned finding tags:
BidBeasts Marketplace: Incorrect Event Emission
placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.