Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unrestricted Burn Function Allows Any User to Destroy Any NFT

radicalvirtuoso

Root + Impact

Description

The BidBeasts NFT contract is expected to allow only token owners or approved addresses to burn NFTs
The burn function lacks any access control, allowing any external address to destroy any NFT regardless of ownership - BAD!

// Root cause in src/BidBeasts_NFT_ERC721.sol:23-26

function burn(uint256 _tokenId) public {

_burn(_tokenId); // @> No ownership or approval validation

emit BidBeastsBurn(msg.sender, _tokenId);

}

Risk

Likelihood: HIGH

Any user can call the function at any time without prerequisites
Function is publicly accessible, no restrictions
Attack requires only knowing a valid token ID

Impact: CRITICAL

Permanent loss of NFT assets
NFTs listen in the marketplace can be destroyed, breaking auctions
Total value destruction with no recovery route
complete breakdown of NFT ownership security

Proof of Concept

// Add this test to test/BidBeastsMarketPlaceTest.t.sol

function testUnrestrictedBurnVulnerability() public {

// Setup: Create test addresses using Foundry's makeAddr

address alice = makeAddr("alice");

address bob = makeAddr("bob"); // Malicious actor

vm.prank(contractOwner);

uint256 tokenId = bidBeastsNft.mint(alice);

// Verify Alice owns the NFT - this is her valuable asset

assertEq(bidBeastsNft.ownerOf(tokenId), alice);

console.log("Alice owns NFT #", tokenId);

// Alice's NFT could be worth significant value

// She might have it listed for sale, or just holding it

// ATTACK: Bob (who has no relationship to Alice or the NFT)

// can simply call burn and destroy Alice's NFT

vm.prank(bob);

bidBeastsNft.burn(tokenId); // This succeeds when it should revert!

// Verify the NFT is now destroyed - ownerOf reverts for non-existent tokens

vm.expectRevert();

bidBeastsNft.ownerOf(tokenId);

// Alice has permanently lost her NFT with no recourse

console.log("Bob successfully destroyed Alice's NFT!");

}

To run this proof of concept:

1. Save the test in your test file

2. Run: forge test --match-test testUnrestrictedBurnVulnerability -vvv

3. The test will pass, confirming that Bob can burn Alice's NFT

This demonstrates that any malicious actor can destroy any NFT in the entire collection, representing a critical security failure.

Recommended Mitigation

function burn(uint256 _tokenId) public {

+ // Add ownership and approval validation

+ address tokenOwner = ownerOf(_tokenId);

+ // Check if caller is authorized: owner, approved for specific token, or approved for all

+ require(

+ msg.sender == tokenOwner ||

+ isApprovedForAll(tokenOwner, msg.sender) ||

+ getApproved(_tokenId) == msg.sender,

+ "BidBeasts: caller is not token owner or approved"

+ );

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Alternative Implementation Using OpenZeppelin Pattern:

function burn(uint256 _tokenId) public {

- _burn(_tokenId);

+ // Use _update with msg.sender as auth to trigger authorization checks

+ _update(address(0), _tokenId, _msgSender());

emit BidBeastsBurn(msg.sender, _tokenId);

}

Explanation of the Mitigation:

1. Ownership Check (msg.sender == tokenOwner): Ensures the NFT owner can always burn their own token

2. Approval Check (getApproved(_tokenId) == msg.sender): Allows specifically approved addresses to burn

3. Operator Check (isApprovedForAll(tokenOwner, msg.sender)): Allows operators with blanket approval to burn

This brings the burn function in line with ERC721 security standards and protects users' assets from malicious destruction. After implementing this fix, only authorized parties will be able to burn NFTs, preserving the fundamental security guarantees that NFT holders expect.

Updates

Lead Judging Commences

cryptoghost Lead Judge 21 days ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

cryptoghost Lead Judge 21 days ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.