Locked tokens due to missing NFT burn functionality
Summary
The RAACNFT contract prevents burning NFTs by disallowing transfers to address(0), while also lacking functionality to withdraw deposited tokens, resulting in permanent token lockup after minting.
Vulnerability Details
The RAACNFT::_update() function prevents transfers to address(0), which is the standard mechanism for burning NFTs in ERC721:
This means that users cannot burn their NFTs since the zero-address check prevents it, so once the NFT is minted, it cannot be destroyed.
However, the user paid with crvUSD tokens when minting the NFT, but he cannot get them back. Moreover, due to the absence of function for withdrawing the deposited tokens, even the contract owner cannot withdraw them, resulting in permanent token lockup.
Proof of Concept:
User mints an NFT by calling
RAACNFT::mintwith required tokensThe tokens are transferred to the contract and stored there
User attempts to burn the NFT but cannot due to
address(0)checkThe paid tokens remain locked in the contract permanently
Even the contract owner cannot withdraw the tokens due to missing functionality
Impact
Users cannot burn NFTs they no longer want
Tokens paid for minting are permanently locked in the contract
Recommendation
Consider adding a burn functionality, or a function for withdrawing the deposited tokens.
Lead Judging Commences
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.