Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-2] Missing access checks in the `BidBeasts_NFT_ERC721.sol::burn` function allows any user to burn an NFT they are not the owner of creating a DoS attack and dismantling the marketplace contract logic

cyberethdev

[H-2] Missing access checks in the BidBeasts_NFT_ERC721.sol::burn function allows any user to burn an NFT they are not the owner of creating a DoS attack and dismantling the marketplace contract logic

Description

  • Normal behaviour: Only the owners of NFTs should be allowed to burn them.

  • Problematic behaviour: Any user can call the BidBeasts_NFT_ERC721.sol::burn function and burn an NFT they are not an owner of.

Root cause:

@> function burn(uint256 _tokenId) public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood: High

The vulnerability occurs when

  • a malicious user calls the BidBeasts_NFT_ERC721.sol::burn function and burns an NFT belonging to any seller in the NFT marketplace.

Impact: High

  • This is a vulnerability with a high impact, as malicious users can attack the NFT marketplace by burning any or all of the listed NFTs. As a result, the marketplace will not be able to provide its intended services, thus resulting in a Denial of Service for any users or sellers.

Proof of Concept

As a PoC include the following test in the Foundry test suite and run with forge test --mt test_burnNFT_LetsNonOwnerBurnNFT.

The test shows how any user can burn an NFT they are not an owner of.

function test_burnNFT_LetsNonOwnerBurnNFT() public {
// NFT contract owner mints NFT to Seller
vm.startPrank(OWNER);
uint256 tokenID = nft.mint(SELLER);
vm.stopPrank();
// Assert that the seller owns the minted NFT
address nftOwner = nft.ownerOf(tokenID);
assertEq(nftOwner, SELLER, "The NFT owner is not the seller");
// Bidder 1 burns the NFT belonging to SELLER
vm.prank(BIDDER_1);
nft.burn(tokenID);
// Assert that the token has been burned
vm.expectRevert();
nft.ownerOf(tokenID);
}

Recommended Mitigation

To mitigate the DoS attack vector the _checkAuthorized function from ERC721.sol should be used as a check prior to calling _burn. This will ensure that msg.sender can burn the NFT only if they are the current owner or an approved address.

function burn(uint256 _tokenId) public {
+ address owner = ownerOf(_tokenId);
+ _checkAuthorized(owner, msg.sender, _tokenId);
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!