Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unrestricted Token Burning Allows Complete Asset Destruction

vk1033

Unrestricted Token Burning Allows Anyone to Destroy NFTs, Causing Complete Loss of Users' Assets

Description

The normal behavior should be that only the token owner or approved addresses can burn their own NFTs, similar to how ERC721 transfers work with ownership validation.
The current implementation allows any user to burn any NFT regardless of ownership, leading to permanent asset destruction and potential marketplace disruption.

function burn(uint256 _tokenId) public {

@> _burn(_tokenId); // No ownership check - anyone can burn any token

emit BidBeastsBurn(msg.sender, _tokenId);

}

Risk

Likelihood: High

Any malicious actor can call this function at any time with any valid token ID
The function is public and has no access controls or prerequisites

Impact: High

Complete permanent loss of user NFTs with no recovery mechanism
Financial loss for NFT holders who paid for their tokens
Marketplace disruption when listed NFTs are burned while auctions are active

Proof of Concept

The PoC demonstrates how any malicious user can permanently destroy NFTs belonging to other users without any authorization or ownership validation.

Add the test below to the BidBeastsMarketPlaceTest.t.sol.

function testBurnSomeoneElsesToken() public {

// Mint NFT to SELLER

vm.prank(OWNER);

nft.mint(SELLER);

assertEq(nft.balanceOf(SELLER), 1);

// BIDDER_1 (not the owner) burns SELLER's token

vm.prank(BIDDER_1);

nft.burn(TOKEN_ID);

// SELLER loses their NFT permanently

assertEq(nft.balanceOf(SELLER), 0);

// Token no longer exists

vm.expectRevert("ERC721NonexistentToken(0)");

nft.ownerOf(TOKEN_ID);

}

And use the following command:

forge test --match-path test/BidBeastsMarketPlaceTest.t.sol --match-test testBurnSomeoneElsesToken

Recommended Mitigation

The burn() function should only allow the **token owner **or an approved operator to burn their own NFT, which follows standard ERC721 security practices and prevents unauthorized asset destruction.

function burn(uint256 _tokenId) public {

+ _checkAuthorized(ownerOf(_tokenId), msg.sender, _tokenId);

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.