Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can burn BidBeasts NFT (ERC721 token) even if it's listed

ebby

Root + Impact

Anyone being able to call the burn function poses a denial of service (DoS) and loss to the platform (fees loss) risk.

Description

  • Describe the normal behavior in one or more sentences

The burn function is supposed to be a protected core function that is only callable by an authorized entity(account) like the contract owner or other entity with authorized access.

  • Explain the specific issue or problem in one or more sentences

Calling this function successfully would send the NFT to the zero address and render it unavailable on the marketplace to be bid on or purchased.

This would learn to a classic denial of service and loss to the platform as fees cannot be charged on an item (NFT) that is no longer listed since it has been burned.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood: HIGH

  • Reason 1: When the listed NFT is burned, bidders can no longer bid on it as it is non-existent.

  • Reason 2: Protocol cannot charge 5% feeds since bids cannot be placed.

Impact:

  • Impact 1: Denial of Service to platform (marketplace) users (bidders)

  • Impact 2: Loss of platform fees since fees cannot be charged on an unavailable listing.

Proof of Concept

The solidity test function below shows a clear PoC for the denial of service to marketplace users (bidders), the seller, and also loss of ability to charge marketplace fees by BidBeasts.

function testAnyoneCanBurnNFT() public {
// mock owner
address public constant OWNER = address(0x1);
// mock seller
address public constant SELLER = address(0x2);
// mock first bidder
address public constant BIDDER_1 = address(0x3);
// mock second bidder
address public constant BIDDER_2 = address(0x4);
// owner mints NFT to seller
vm.startPrank(OWNER);
nft.mint(SELLER);
vm.stopPrank();
assertEq(nft.ownerOf(TOKEN_ID), SELLER, "Seller should own the NFT");
// seller lists NFT on marketplace
vm.startPrank(SELLER);
nft.approve(address(market), TOKEN_ID);
market.listNFT(TOKEN_ID, MIN_PRICE, BUY_NOW_PRICE);
vm.stopPrank();
// bidder burns a listed NFT
vm.prank(BIDDER_1);
nft.burn(TOKEN_ID);
// another bidder tries to place a bid on the burned NFT
// NFT no longer exists, bidder cannot place a bid to buy it
vm.prank(BIDDER_2);
market.placeBid{value: 50 ether}(TOKEN_ID);
// platform tries to charge a fee on the non-existent NFT sale
// would revert since NFT has been burned
vm.startPrank(OWNER);
vm.expectRevert();
market.withdrawFee();
vm.stopPrank();
}
- owner mints NFT to seller
- seller lists
- bidder 1 burns NFT
- bidder 2 tries to place a bid and fails
- denial of service to bidder 2, who intended to buy the listed NFT
- The marketplace cannot charge 5% fee since no successful bids can be placed. NFT doesn't change hands

Recommended Mitigation

onlyOwner access control tag from OpenZeppelin or bidbeasts defined modifier should be used to restrict authorization of burn functionality to only the contract owner or authorized entity.

- remove this code
- nothing to remove
function burn(uint256 _tokenId) public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}
+ add this code
+ add onlyOwner access control tag to burn function
function burn(uint256 _tokenId) public onlyOwner {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 28 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.