Description:

The BidBeastsNFTMarket contract lacks the required onERC721Received() function implementation, which is mandatory for contracts receiving ERC721 tokens according to the ERC721 standard. When NFTs are transferred to the marketplace contract via transferFrom() during the listing process, they become permanently locked since the contract cannot properly handle incoming NFT transfers. This violates the ERC721 standard's safety mechanism designed to prevent accidental token burns.

Attack path:

1. User calls listNFT(tokenId, _minPrice, _buyNowPrice) to list their NFT for auction

2. The contract executes BBERC721.transferFrom(msg.sender, address(this), tokenId)

3. The NFT is transferred to the marketplace contract address

4. Since the marketplace contract doesn't implement IERC721Receiver.onERC721Received(), the NFT becomes permanently locked

5. Even if auctions complete successfully, the contract cannot transfer the NFT to winners because it's not properly recognized as holding the token

6. All listed NFTs become irretrievable, effectively burning them

Impact:

Permanent loss of user NFTs

Auctions cannot be completed as NFTs cannot be transferred to winners

Bidders lose their ETH while receiving no NFT in return

Recommended Mitigation:

Implement the ERC721Receiver interface by adding the following code to the BidBeastsNFTMarket contract: