Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Anyone can burn any NFT

retter

Root + Impact

Description

Normally, the burn function should allow only the owner or an approved operator of an NFT to destroy it.
In the BidBeasts contract, the burnfunction allows anyone to burn any token, regardless of ownership or approval.
This violates the ERC-721 standard and lets malicious actors permanently destroy other users’ tokens.

// @> Anyone can call burn without ownership check

function burn(uint256 _tokenId) public {

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

The inherited _burn function from OpenZeppelin’s ERC721 implementation does not validate the caller.
It simply deletes ownership records and emits a Transfer event, assuming the caller already performed access control.

Risk

Likelihood:

Any user can call burn on a vallid token ID without restrictions.
No permissions or access control prevents unauthorized burning

Impact:

Permanent destruction of NFTs owned by other users.
Loss of user assets and reputational damage to the project.

Proof of Concept

The following Foundry test demonstrates that an arbitrary account can burn someone else’s NFT without approval.

function test_anyoneCanBurnOthersNFT() public {

// Owner mints tokenId 0 to Seller

vm.startPrank(OWNER);

nft.mint(SELLER);

vm.stopPrank();

// Verify Seller really owns the token

assertEq(

nft.ownerOf(TOKEN_ID),

SELLER,

"Seller should initially own the token"

);

// An attacker (Bidder_1) calls burn on SELLER's token

vm.startPrank(BIDDER_1);

nft.burn(TOKEN_ID);

vm.stopPrank();

// The token is now gone, and checking ownerOf should revert

vm.expectRevert("ERC721NonexistentToken(0)"); // Expect revert since the token no longer exists

nft.ownerOf(TOKEN_ID);

}

This test passes, proving that an arbitrary address can destroy another user’s NFT.

Recommended Mitigation

Add an ownership or approval check before calling _burn.
OpenZeppelin already provides _isAuthorized in the ERC-721 implementation.
Restrict the burn function so only the token owner or an approved operator can call it.

- function burn(uint256 _tokenId) public {

- _burn(_tokenId);

- emit BidBeastsBurn(msg.sender, _tokenId);

- }

+ function burn(uint256 _tokenId) public {

+ address owner = ownerOf(_tokenId); // ensure token exists

+ require(_isAuthorized(owner, msg.sender, _tokenId), "Not owner or approved");

+ _burn(_tokenId);

+ emit BidBeastsBurn(owner, _tokenId);

+ }

Updates

Lead Judging Commences

cryptoghost Lead Judge 25 days ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.