Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unauthorized Token Burning by Anyone

empyrean

Unauthorized Token Burning by Anyone

Description

The burn function in the BidBeasts ERC721 contract allows token owners or authorized users to remove tokens from circulation permanently. The function lacks access control, enabling any address to burn any token without ownership verification.

function burn(uint256 _tokenId) public {

@>_burn(_tokenId);@>

emit BidBeastsBurn(msg.sender, _tokenId);

}

Risk

Likelihood:

When any non-owner address calls burn on an existing token ID.
When a malicious actor targets specific tokens during auctions or transfers.

Impact:

Permanent loss of the NFT for the legitimate owner.
Disruption of marketplace listings, as burned tokens cannot be transferred or sold.

Proof of Concept

Mints NFT to seller, then non-owner calls burn, succeeding. Verifies by expecting ownerOf to revert with ERC721NonexistentToken, proving unauthorized burn.

// include this among imports

import {IERC721Errors} from "@openzeppelin/contracts/interfaces/draft-IERC6093.sol";

function testAnyoneCanBurnAnyToken() public {

_mintNFT(); // Mints token 0 to SELLER

// BIDDER_1 (non-owner) burns SELLER's token

vm.prank(BIDDER_1);

nft.burn(TOKEN_ID);

// Expect token to be burned (no owner)

vm.expectRevert(abi.encodeWithSelector(IERC721Errors.ERC721NonexistentToken.selector, 0));

nft.ownerOf(TOKEN_ID);

}

Recommended Mitigation

Adds ownership check before _burn, restricting burns to token owners only.

function burn(uint256 _tokenId) public {

+ require(ownerOf(_tokenId) == msg.sender, "Not token owner");

_burn(_tokenId);

emit BidBeastsBurn(msg.sender, _tokenId);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge about 1 month ago

Submission Judgement Published

Validated

Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.