Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Access Control in `burn` Function in `BidBeasts_NFT_ERC721.sol`

Rising Stars

Summary

The burn function in BidBeasts_NFT_ERC721.sol is vulnerable due to missing access control. It is declared as public without ownership checks, allowing any user to burn any NFT by providing its _tokenId. This results in a critical security risk, as unauthorized parties can permanently destroy NFTs owned by others, undermining the ERC721 ownership model.

Description

The burn function in the BidBeasts_NFT_ERC721.sol contract lacks access control, allowing any user to call the function and burn any NFT (identified by _tokenId). This is a critical security vulnerability, as it permits unauthorized users to destroy NFTs that they do not own, undermining the ownership integrity of the ERC721 contract.

The function is defined as follows: https://github.com/CodeHawks-Contests/2025-09-bid-beasts/blob/449341c55a57d3f078d1250051a7b34625d3aa04/src/BidBeasts_NFT_ERC721.sol#L23

function burn(uint256 _tokenId) public {

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Unlike the mint function, which uses the onlyOwner modifier to restrict access to the contract owner, the burn function is marked as public without any access control checks. This allows any caller to burn any NFT, regardless of ownership.

For comparison, the mint function is properly restricted:

function mint(address to) public onlyOwner returns (uint256) {

uint256 _tokenId = CurrenTokenID;

_safeMint(to, _tokenId);

emit BidBeastsMinted(to, _tokenId);

CurrenTokenID++;

return _tokenId;

}

PoC:

function test_burnMissingAccessControl() public {

_mintNFT();

address ownerOfNFT = nft.ownerOf(0);

assertEq(ownerOfNFT, SELLER);

uint balanceOfSeller=nft.balanceOf(SELLER);

assertEq(balanceOfSeller,1);

nft.burn(0);

balanceOfSeller=nft.balanceOf(SELLER);

assertEq(balanceOfSeller,0);

}

Impact

Unauthorized NFT Destruction: Any user can burn any NFT, leading to potential loss of assets for legitimate owners.

Mitigation

To mitigate this vulnerability, the burn function should include an access control mechanism to ensure that only the owner of the NFT (or the contract owner, depending on the intended design) can burn it. The following approaches are recommended:

Restrict to NFT Owner:
Use the ownerOf function from the ERC721 standard to verify that the caller (msg.sender) is the owner of the _tokenId before allowing the burn operation.

Proposed Fix:

function burn(uint256 _tokenId) public {
require(msg.sender == ownerOf(_tokenId), "Only the NFT owner can burn it");
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!