Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Access Control in `BidBeasts::burn` Function

0xzhd

Root + Impact

Root Cause: The burn function in the BidBeasts contract allows any user to burn any token without verifying ownership or approval, as it lacks an access control check (e.g., using _isApprovedOrOwner). This violates the ERC-721 standard, which mandates that only the token owner or an approved operator should be able to destroy a token. The current implementation relies solely on the internal _burn call without restrictions.
Impact: This vulnerability enables malicious actors to burn tokens they do not own, resulting in permanent loss of assets for legitimate owners. It breaks the trust and ownership guarantees expected in NFT contracts, potentially causing financial and sentimental damage to users and severely undermining confidence in the BidBeasts platform.

Description:

The BidBeasts::burn function currently allows any user to burn any token, as there is no access control check in place.
This violates the expected ERC-721 behavior where only the token owner or an approved operator should be able to burn a token.

function burn(uint256 _tokenId) public {

@> // No ownership or approval check here

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Risk

Likelihood: High. The vulnerability is exploitable by any user with access to the contract, but it requires the attacker to target specific tokens, which may depend on their visibility or value. The likelihood increases in an open marketplace with active NFT trading.
Impact: High. The ability to destroy others’ tokens without authorization poses a significant security risk, leading to asset loss, user dissatisfaction, and potential legal or reputational damage to the platform. This severity warrants immediate attention and remediation.

Proof of Concept:

This test demonstrates an unauthorized burn vulnerability in BidBeasts::burn.
Any arbitrary address (not token owner or approved) can call burn(tokenId) and permanently destroy another user’s NFT.
This test checks if an attacker can burn a token that they do not own or have approval for.

Results:

Alice owns tokenId initially with balance = 1
Attacker (no approval, not owner) calls burn(tokenId)
Alice’s balance becomes 0 and ownerOf(tokenId) reverts (token destroyed)
→ Confirms missing access control on burn()

Add the following to the BidBeastsNFTMarketTest.t.sol test file.

Proof of Code

function test_attacker_can_burn_someone_elses_token() public {

// This test checks if an attacker can burn a token that they do not own or have approval for.

address alice = makeAddr("alice"); // legitimate token recipient

address attacker = makeAddr("attacker"); // malicious actor

// Owner mints a token to Alice

vm.prank(OWNER);

uint256 tokenId = nft.mint(alice);

// Sanity: Alice owns the token before the attack

assertEq(nft.ownerOf(tokenId), alice);

assertEq(nft.balanceOf(alice), 1);

console.log("Balance of Alice before attack:", nft.balanceOf(alice));

// Attacker (not owner nor approved) calls burn(tokenId)

vm.prank(attacker);

nft.burn(tokenId);

console.log("Balance of Alice after attack:", nft.balanceOf(alice));

// After burn: Alice balance decreased and ownerOf should revert

assertEq(nft.balanceOf(alice), 0);

// ownerOf for a burned/nonexistent token reverts — assert that it reverts

vm.expectRevert();

nft.ownerOf(tokenId);

// Logs:

// Balance of Alice before attack: 1

// Balance of Alice after attack: 0

}

Recommended Mitigation:

Restrict the BidBeasts::burn function so that only the token owner or an approved operator can call it.

For example:

+ error BidBeast__NotOwnerOrApproved()

function burn(uint256 _tokenId) public {

+ if (!_isApprovedOrOwner(msg.sender, _tokenId)) {

+ revert BidBeast__NotOwnerOrApproved();

+ }

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

This ensures burning is consistent with ERC-721 security standards.

Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.