Lack of Access Control on burn function allows anyone to burn all NFT token
Lack of Access Control on burn function allows anyone to burn all NFT token
Root + Impact
Description
Normally, an NFT burn function should only allow the owner of the token or an approved operator to destroy the NFT.
In this code, there is no access control in place, which means any external account can burn NFTs owned by any user. This results in unauthorized destruction of assets.
Risk
Likelihood:
Every time the burn function is called, there is no restriction on the caller.
Any user who knows or guesses a valid tokenId can invoke this function and permanently burn NFTs they don’t own.
Impact:
User's NFTs can be destroyed without consent.
Proof of Concept
An attacker can simply call the function with any victim’s tokenId:
Recommended Mitigation
Require that the caller is either the owner or approved operator of the token before allowing burning:
Lead Judging Commences
BidBeasts ERC721: Anyone Can Burn
In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.