Anyone can burn any token even if it's not theirs
Root + Impact
Description
-
Normal behavior: No one should be able to
burna token/NFT which he is not the owner of -
Bad behavior: Here anyone can
burna token/NFT by calling theburn()function with the ID of the token they want to burn :_tokenId, even if its not theirs
Risk
Likelihood: High
It occurs each time someone calls the
burn()function with the_tokenIdof the NFT they want to burn as a parameter.
Impact: High
They can just burn any token they want without even owning it.
Proof of Concept
=> Call the burn() function with a _tokenId from a token ou do not own. Check that the token is indeed burnt.
Recommended Mitigation
=> Only allow the owner of the token to be able to burn it.
Lead Judging Commences
BidBeasts ERC721: Anyone Can Burn
In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.