Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Misleading Burn Event Emission inside the `BidBeasts_NFT_ERC721::burn()` function

mishraji874

Description

  • Burn events should accurately represent who initiated the burn operation, typically the token owner.

  • The BidBeastsBurn event emits msg.sender as the "from" parameter, but since anyone can burn any token, this doesn't represent the actual token owner, leading to misleading event data.

function burn(uint256 _tokenId) public {
_burn(_tokenId);
@> emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood:

  • Occurs every time someone burns another person's token

  • Event logs will contain misleading information

Impact:

  • Misleading event logs and analytics

  • Difficulty in tracking actual token ownership changes

Proof of Concept

function test_BurnEventEmitsWrongSender() public {
// Mint NFT to Alice
vm.prank(OWNER);
uint256 tokenId = nft.mint(ALICE);
// Attacker burns Alice's NFT
vm.prank(ATTACKER);
// Event will emit ATTACKER as the "from" address, not ALICE
// This is misleading since ATTACKER is not the owner
vm.expectEmit(true, true, false, false);
emit BidBeasts.BidBeastsBurn(ATTACKER, tokenId);
nft.burn(tokenId);
}

Recommended Mitigation

function burn(uint256 _tokenId) public {
+ address tokenOwner = ownerOf(_tokenId);
+ require(_isAuthorized(msg.sender, _tokenId), "Not authorized to burn this token");
_burn(_tokenId);
- emit BidBeastsBurn(msg.sender, _tokenId);
+ emit BidBeastsBurn(tokenOwner, _tokenId);
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts Marketplace: Incorrect Event Emission

placeBid emits AuctionSettled even though the auction hasn’t ended, causing misleading event logs.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!