Submission Details
Severity:
Missing Access Control on Burn Function
Missing Access Control on Burn Function
Description
The function BidBeasts::burn allows any caller to burn any tokenID without restriction
function burn(uint256 _tokenId) public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}
}
Risk
Impact (High) : Winner Bidder can have his tokenNft destroy by anyone without knowing.
Likelyhod (High) : it is very easy to do so, just call the function.
Proof of Concept
Add this test to BidBeastsMarketPlaceTest.t.sol
function test_burn_function() public {
_mintNFT();
_listNFT();
uint256 seller_balance_before = SELLER.balance;
uint256 gain = BUY_NOW_PRICE - (BUY_NOW_PRICE * S_FEE_PERCENTAGE) / 100;
vm.prank(BIDDER_1);
market.placeBid{value: BUY_NOW_PRICE}(TOKEN_ID);
assertEq(nft.ownerOf(TOKEN_ID), BIDDER_1);
assertEq(SELLER.balance, seller_balance_before + gain);
// SELLER destroys the token via the burning function
vm.prank(SELLER);
nft.burn(TOKEN_ID);
// Fail ERC721NonexistentToken(0)
assertEq(nft.ownerOf(TOKEN_ID), BIDDER_1);
}
Recommended Mitigation
Add this line in the burn function :
function burn(uint256 _tokenId) public {
+ require(ownerOf(_tokenId) == msg.sender, "not token's owner");
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}
Updates
Lead Judging Commences
cryptoghost 2 months ago
Submission Judgement Published Assigned finding tags:
BidBeasts ERC721: Anyone Can Burn
In the BidBeasts ERC721 implementation, the burn function is publicly accessible, allowing any external user to burn NFTs they do not own. This exposes all tokens to unauthorized destruction and results in permanent asset loss.
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.