Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Misleading Burn Event Emission inside the `BidBeasts_NFT_ERC721::burn()` function

mishraji874

Description

  • Burn events should accurately represent who initiated the burn operation, typically the token owner.

  • The BidBeastsBurn event emits msg.sender as the "from" parameter, but since anyone can burn any token, this doesn't represent the actual token owner, leading to misleading event data.

function burn(uint256 _tokenId) public {
_burn(_tokenId);
@> emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood:

  • Occurs every time someone burns another person's token

  • Event logs will contain misleading information

Impact:

  • Misleading event logs and analytics

  • Difficulty in tracking actual token ownership changes

Proof of Concept

function test_BurnEventEmitsWrongSender() public {
// Mint NFT to Alice
vm.prank(OWNER);
uint256 tokenId = nft.mint(ALICE);
// Attacker burns Alice's NFT
vm.prank(ATTACKER);
// Event will emit ATTACKER as the "from" address, not ALICE
// This is misleading since ATTACKER is not the owner
vm.expectEmit(true, true, false, false);
emit BidBeasts.BidBeastsBurn(ATTACKER, tokenId);
nft.burn(tokenId);
}

Recommended Mitigation

function burn(uint256 _tokenId) public {
+ address tokenOwner = ownerOf(_tokenId);
+ require(_isAuthorized(msg.sender, _tokenId), "Not authorized to burn this token");
_burn(_tokenId);
- emit BidBeastsBurn(msg.sender, _tokenId);
+ emit BidBeastsBurn(tokenOwner, _tokenId);
}
Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.