Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Broken access control when burning NFT

fredo182

Broken access control when burning NFT

Description

The NFT contract exposes a public burn(tokenId) function that does not verify caller authorization. Any externally owned account or contract can invoke burn for an arbitrary tokenId and permanently destroy another user’s NFT.

Risk

Likelihood: High

The vulnerability is trivial to exploit on-chain and requires no preconditions beyond knowledge of a tokenId.

Impact: High

Unrestricted burns allow immediate, irreversible loss of user assets.

Proof of Concept

The following test case proves that anyone can burn an NFT given a known tokenId.

function test_anyone_can_burn_a_valid_nft() public {
vm.prank(PROTOCOL_OWNER);
nft.mint(SELLER);
assertEq(nft.ownerOf(0), SELLER);
vm.prank(BIDDER_1);
nft.burn(0);
}

Recommended Mitigation

function burn(uint256 _tokenId) public {
+ require(ownerOf(tokenId) == msg.sender, "Not the owner");
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}
Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.