Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone Can Burn NFTs in BidBeasts ERC721 Implementation

prakrati2004

Root + Impact

Description

  • Normally, only the NFT owner or an authorized operator should be able to burn their NFT. However, in the current implementation of the BidBeasts contract, any address can call the burn() function on any token ID, regardless of ownership.

  • This allows a malicious user to permanently destroy NFTs owned by other users, leading to loss of assets and disruption of the project.

function burn(uint256 _tokenId) public {
@> _burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood:

  • The function is publicly accessible, so this will occur whenever any external address calls burn().

  • No ownership check is performed before calling _burn(), making the vulnerability always exploitable.

Impact:

  • Attackers can burn NFTs belonging to other users, resulting in permanent loss of valuable tokens.

  • This undermines user trust in the protocol and could make the NFT collection unusable.

Proof of Concept

function testBurnAnyone() public {
// --- Step 1: Mint NFT to SELLER ---
vm.startPrank(OWNER);
uint256 tokenId = nft.mint(SELLER);
vm.stopPrank();
// Verify SELLER is the owner
assertEq(nft.ownerOf(tokenId), SELLER);
// --- Step 2: BIDDER_1 (not owner) calls burn() ---
vm.startPrank(BIDDER_1);
nft.burn(tokenId); // <- Vulnerability: no ownership check
vm.stopPrank();
// --- Step 3: Verify NFT is permanently destroyed ---
vm.expectRevert();
nft.ownerOf(tokenId); // Should revert since token no longer exists
}

  • Mint: OWNER mints an NFT to SELLER.

  • Attack: BIDDER_1 (unauthorized) calls burn(tokenId).

  • Verification: ownerOf(tokenId) Reverts because the NFT has been destroyed, proving anyone can burn others’ NFTs.

Recommended Mitigation

To mitigate this:

  1. Use _isApprovedOrOwner Check:
    Before performing _burn(tokenId), validate that the caller is either the owner of the token or an operator approved by the owner. OpenZeppelin’s ERC721 implementation provides _isApprovedOrOwner(msg.sender, tokenId) for this exact purpose.

  2. Restrict Access in Public Functions:
    Ensure that all sensitive actions (burning, transferring, or modifying token metadata) are restricted to authorized addresses only. This prevents arbitrary users from performing destructive operations.

- function burn(uint256 _tokenId) public {
- _burn(_tokenId);
- emit BidBeastsBurn(msg.sender, _tokenId);
- }
+ function burn(uint256 _tokenId) public onlyOwner {
+ _burn(_tokenId);
+ emit BidBeastsBurn(msg.sender, _tokenId);
+ }
Updates

Lead Judging Commences

cryptoghost Lead Judge 21 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

cryptoghost Lead Judge 21 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.