Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-1] Anyone Can Burn Any NFT (Unauthorized Destruction of Tokens)

cosminmarian53

[H-1] Anyone Can Burn Any NFT (Unauthorized Destruction of Tokens)

Description

Normally, only the owner of an NFT should be able to destroy (burn) their own token, preserving user property rights and preventing malicious griefing.
In the current implementation, any address can call burn(uint256 _tokenId) and destroy any NFT, regardless of ownership. This allows arbitrary users to irreversibly destroy NFTs they do not own.

//@audit -high? anyone can burn anyone else's NFT
function burn(uint256 _tokenId) public {
_burn(_tokenId); // @> No ownership check here
emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood:

  • This will occur whenever any user calls burn() with the tokenId of an NFT they do not own.

  • There are no access controls or ownership checks in place, so this is trivial to exploit.

Impact:

  • Any NFT can be destroyed by anyone, resulting in permanent loss of user assets.

  • This can be used for griefing, denial of service, or targeted attacks on users or the protocol (e.g., burning NFTs held in escrow by the marketplace).

Proof of Concept

This issue consists of two cases.
Case 1: Griefing individual users by burning their NFTs
Add the following test to BidBeastsMarketPlaceTest.t.sol:

function test_anyone_can_burn_nft() public {
address randomUser = makeAddr("randomUser");
vm.deal(randomUser, 1 ether);
_mintNFT();
//assert ownership
assertEq(nft.ownerOf(TOKEN_ID), SELLER);
//random user burns the nft
vm.prank(randomUser);
nft.burn(TOKEN_ID);
vm.expectRevert();
nft.ownerOf(TOKEN_ID);
}

Case 2: Disrupting protocol invariants by burning NFTs held in escrow, potentially breaking auctions and marketplace logic.

function test_anyone_can_burn_nft_while_in_marketplace_escrow() public {
address randomUser = makeAddr("randomUser");
vm.deal(randomUser, 1 ether);
_mintNFT();
_listNFT();
//assert ownership
assertEq(nft.ownerOf(TOKEN_ID), address(market));
//random user burns the nft
vm.prank(randomUser);
nft.burn(TOKEN_ID);
vm.expectRevert();
nft.ownerOf(TOKEN_ID);
}

Recommended Mitigation

Consider adding a check or a modifier to see if the person trying to burn the NFT is the actual owner of the asset.

- function burn(uint256 _tokenId) public {
- _burn(_tokenId);
- emit BidBeastsBurn(msg.sender, _tokenId);
- }
+ function burn(uint256 _tokenId) public {
+ require(ownerOf(_tokenId) == msg.sender, "Not the owner");
+ _burn(_tokenId);
+ emit BidBeastsBurn(msg.sender, _tokenId);
+ }
Updates

Lead Judging Commences

cryptoghost Lead Judge 21 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

cryptoghost Lead Judge 21 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.