Bid Beasts
First Flight #49
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

CRITICAL ISSUE : Anyone Can Burn Any Token

mostafapahlevani93


Description

  • The burn function has NO authorization checks, allowing anyone to burn any token regardless of ownership or approval status.

function burn(uint256 _tokenId) public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood:

  • Any malicious user can call this function at any time with any valid token ID

  • No access control mechanisms prevent unauthorized burning

  • Function is public and has no restrictions

Impact:

  • Complete loss of user assets - NFTs can be permanently destroyed

  • Users lose valuable tokens without consent

  • Contract becomes unusable due to security vulnerability

Proof of Concept

// Attacker can burn anyone's token
function testAnyoneCanBurn() public {
// Owner mints token to Alice
vm.prank(owner);
uint256 tokenId = nft.mint(alice);
// Malicious user Bob burns Alice's token
vm.prank(bob);
nft.burn(tokenId); // This succeeds!
// Alice's token is now destroyed
vm.expectRevert();
nft.ownerOf(tokenId);
}

Recommended Mitigation

function burn(uint256 _tokenId) public {
+ require(_isApprovedOrOwner(msg.sender, _tokenId), "Not owner nor approved");
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}
Updates

Lead Judging Commences

cryptoghost Lead Judge 30 days ago
Submission Judgement Published
Validated
Assigned finding tags:

BidBeasts ERC721: Anyone Can Burn

In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.