Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing owner check allows anyone to burn any NFT

0xicelatte

Missing owner check allows anyone to burn any NFT

Description

  • Under normal circumstances, only the owner of an NFT should be able to burn their NFT

  • Currently there are no restrictions on who can burn what NFT in BidBeasts_NFT_ERC721::burn, allowing any and all NFTs to be burned by any user

&> function burn(uint256 _tokenId) public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood:

  • High likelihood as the attack is simple to execute and high impact

Impact:

  • Nobody can own NFTs as they'll just be burned by someone else

  • The main protocol functionality, an NFT marketplace, is stopped as there are no NFTs to trade

  • If someone does manage to buy an NFT, they'll loose any money they spent as someone can burn the NFT after purchase

Proof of Concept

Place the following into BidBeastsMarketPlaceTest.t.sol.

function testAnyoneCanBurn() public {
_mintNFT();
_listNFT();
assertEq(nft.ownerOf(TOKEN_ID), address(market), "NFT should be held by the market");
address attacker = makeAddr("attacker");
vm.startPrank(attacker);
nft.burn(TOKEN_ID);
vm.stopPrank();
}

Recommended Mitigation

  • To prevent this, add an onlyOwner check to BidBeasts_NFT_ERC721::burn.

- function burn(uint256 _tokenId) public {
+ function burn(uint256 _tokenId) public onlyOwner {
Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.