Unrestricted Burn Function Allows Any User to Destroy Arbitrary NFTs
Root + Impact
Description
-
Normal behavior:
In a standard ERC-721 implementation, the burn function can only be called by the token owner or an approved operator. This ensures that NFTs cannot be destroyed by arbitrary third parties.
-
Specific issue:
In the current implementation, the burn function is declared public and directly calls _burn(_tokenId) without validating ownership or approval. This means any external account can call burn on any token ID, regardless of whether they own it.
Risk
Likelihood:
The function is public, meaning it is always accessible to any externally owned account (EOA).
The missing _isApprovedOrOwner check ensures that the attack does not depend on any specific state or configuration.
Impact:
-
Attackers can destroy NFTs owned by other users, leading to permanent loss of assets.
-
This can erode trust in the collection, devalue the marketplace listings, and damage the project’s reputation.
Proof of Concept
Recommended Mitigation
Restrict burn permissions to only the owner or approved operator by adding a check.
Alternatively, remove the custom implementation and inherit OpenZeppelin’s ERC721Burnable, which already provides a secure burn method.
Lead Judging Commences
BidBeasts ERC721: Anyone Can Burn
In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.