Unrestricted token burning allows destruction of any NFT
Description:
The BidBeasts ERC721 contract contains a critical vulnerability in its burn() function that allows any user to burn (permanently destroy) any existing NFT without authorization checks. The function directly calls the internal _burn() method without verifying that the caller is the token owner or has been approved to manage the token. This occurs because the _burn() function passes address(0) as the authorization parameter to _update(), which bypasses OpenZeppelin's built-in authorization checks.
Attack path:
Attacker identifies any existing NFT token ID in the
BidBeastscollectionAttacker calls
burn(tokenId)function with the target token IDThe function executes without checking if the attacker owns the token or has approval
The NFT is permanently destroyed, removing it from the owner's balance and clearing its ownership record
The attack can be repeated for any number of tokens, potentially destroying the entire collection
Impact:
Any NFT in the collection can be permanently destroyed by malicious actors
PoC
Place below in BidBeastsMarketPlaceTest.t.soland run forge test --mt test_burnNFT
Recommended Mitigation:
Replace the current burn() function with a properly authorized version that includes ownership or approval checks:
Lead Judging Commences
BidBeasts ERC721: Anyone Can Burn
In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.