Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

H01. Unrestricted burn

accessdenied

Root + Impact

Description

The normal behavior of an NFT contract is that only the token owner or an approved operator should be able to burn a token they own. This ensures users retain control of their assets and prevents malicious destruction.

In the current BidBeasts implementation, the burn(uint256 _tokenId) function is public and unrestricted. It does not check ownership or approval before calling _burn(). As a result, anyone can burn any NFT, even if they are not the owner.

function burn(uint256 _tokenId) public {

@> _burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Risk

Likelihood:

Any address can directly call burn(tokenId) at any time.
This requires no special permissions or preconditions.

Impact:

NFTs can be destroyed without the consent of their rightful owners.
Active marketplace auctions that rely on existing NFTs will revert permanently during settlement, leading to a denial of service for the marketplace.

Proof of Concept

Below is a PoC test . It shows how an attacker (BIDDER_1) can burn the SELLER’s NFT even though they don’t own it.

function test_attack_unrestrictedBurn() public {

// Mint NFT for the seller

vm.startPrank(OWNER);

nft.mint(SELLER);

vm.stopPrank();

assertEq(nft.ownerOf(TOKEN_ID), SELLER, "Seller should own token initially");

// Attacker (BIDDER_1) maliciously calls burn on someone else's token

vm.prank(BIDDER_1);

nft.burn(TOKEN_ID);

// Expect the NFT to be destroyed

vm.expectRevert("ERC721: invalid token ID");

nft.ownerOf(TOKEN_ID);

// Seller lost asset permanently

}

Outcome:
The NFT owned by SELLER is destroyed by BIDDER_1. This breaks the fundamental NFT ownership guarantee and can also brick auctions in the marketplace contract.

Recommended Mitigation

Restrict burning to only the token owner or approved operator by using OpenZeppelin’s _isApprovedOrOwner.

- function burn(uint256 _tokenId) public {

- _burn(_tokenId);

- emit BidBeastsBurn(msg.sender, _tokenId);

- }

+ function burn(uint256 _tokenId) public {

+ require(_isApprovedOrOwner(msg.sender, _tokenId), "Not authorized to burn");

+ address owner = ownerOf(_tokenId);

+ _burn(_tokenId);

+ emit BidBeastsBurn(owner, _tokenId);

+ }

Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.