The `BidBeasts_NFT_ERC721::burn` function does not have any checks to prevent attackers from burning NFT's.
Root + Impact
Description
-
In the `BidBeasts_NFT_ERC721` when someone wants to burn their NFT, they would call the `BidBeasts_NFT_ERC721::burn` function.
-
However, in `BidBeasts_NFT_ERC721::burn`, there are no checks to prevent anyone from calling this function, and to burn someone elses NFT.
Risk
Likelihood:
This attack will occur when a malicous wallet calls the `BidBeasts_NFT_ERC721::burn` function on the contract with someone elses token ID to burn their NFT.
Impact:
A users NFT will be burned and potential money he could have made would be gone.
Proof of Concept
-
The owner of the `BidBeastsNFTMarketPlace.sol` mints an NFT.
-
This owner gives the NFT to a seller.
-
This seller decides to sell the NFT given to him and lists it on on the `BidBeastsNFTMarketPlace.sol
-
Before anyone can buy his NFT, an attacker calls the `BidBeasts_NFT_ERC721::burn` function and burns his NFT.
-
The seller lost his NFT.
*Side note: The sellers NFT can be burned even if it is not listed in the marketplace.
Recommended Mitigation
Add a check to the `BidBeasts_NFT_ERC721::burn` that only allows the owner of an NFT to burn his NFT.
Lead Judging Commences
BidBeasts ERC721: Anyone Can Burn
In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.