Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Access Control in Burn Function Allows Unauthorized NFT Destruction

avspedaliere

Description

  • In a properly secured NFT contract, the BidBeasts_NFT_ERC721::burn function should only allow the current owner of an NFT to destroy their own token. The function should verify that msg.sender is the owner of the specified token ID before proceeding with the burn operation, ensuring that only authorized users can permanently remove NFTs from circulation.

  • The BidBeasts_NFT_ERC721::burn function in the BidBeasts contract lacks any access control mechanism, allowing any user to call burn(uint256 _tokenId) on any NFT regardless of ownership. The function directly calls _burn(_tokenId) without verifying that msg.sender owns the token, enabling malicious actors to permanently destroy other users' valuable NFTs. This creates a critical security vulnerability where any address can destroy any NFT in the collection, leading to permanent loss of user assets and causing catastrophic harm to the overall protocol.

@> function burn(uint256 _tokenId) public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood:

  • High - The vulnerability will occur in every instance where the BidBeasts_NFT_ERC721::burn function is called, as there are no conditional checks or access controls that could prevent unauthorized burning - the function will always execute regardless of the caller's ownership status. Malicious actors will attempt to exploit immediately upon discovering the lack of access control.

Impact:

  • High - Users will permanently lose their valuable NFT assets without any possibility of recovery, as burned tokens are completely removed from the blockchain and cannot be restored, minted again, or transferred back to the original owner.

  • High - The entire NFT collection becomes unusable as users cannot safely hold or trade tokens knowing that any malicious actor can destroy their assets at any time, leading to immediate devaluation and abandonment of the project.

Proof of Concept

This test proves that a non-owner can burn any user's NFT.

  1. Deploy and setup

  2. Mint an NFT to SELLER

  3. Verify SELLER owns the NFT

  4. Verify BIDDER_1 does not own the NFT

  5. Have BIDDER_1 (who doesn't own the NFT) burn it

  6. Verify the NFT was burned (ownerOf should revert)

  7. ownerOf reverts proving the NFT was burned by a non owner

function test_nonOwnerAddressCanBurnNFT() public {
vm.prank(OWNER);
nft = new BidBeasts();
vm.prank(OWNER);
nft.mint(SELLER);
assertEq(nft.ownerOf(TOKEN_ID), SELLER, "SELLER should own the NFT");
assertNotEq(nft.ownerOf(TOKEN_ID), BIDDER_1, "BIDDER_1 should not own the NFT");
vm.prank(BIDDER_1);
nft.burn(TOKEN_ID);
vm.expectRevert();
nft.ownerOf(TOKEN_ID);
}

Recommended Mitigation

Add an access control to the BidBeasts_NFT_ERC721::burn function.

function burn(uint256 _tokenId) public {
+ require(ownerOf(_tokenId) == msg.sender, "Not the owner");
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!