Description

This contract implements an ERC-721 token used in an auction-based NFT marketplace. The burn(uint256) function lacks any access control and therefore allows any caller to permanently destroy arbitrary tokens. This contradicts expected behavior of an ERC-721 burn (which must be restricted) and enables malicious destruction of user-owned NFTs, breaking auction logic and causing financial and reputational damage

Root Cause + Impact

The burn() function is missing an access control check. This allows any address to burn any NFT, regardless of ownership. As a result, malicious users can destroy NFTs they do not own, disrupting the marketplace and causing financial loss to legitimate holders.

Normal behavior

In a properly implemented ERC-721 contract the ability to burn a token should be restricted to:

• the token owner (common), or

• the token owner and approved operators (if intended), or

• a privileged admin (only when explicitly required).
  This prevents unauthorized users from destroying other users’ NFTs.

Specific issue

function burn(uint256 _tokenId) public { _burn(_tokenId); ... } contains no require/authorization check. As a result, any caller may invoke burn() for any tokenId — including tokens they do not own// Root cause in the codebase with @> marks to highlight the relevant sectiond
function burn(uint256 _tokenId) @> public {
_burn(_tokenId);
emit BidBeastsBurn(msg.sender, _tokenId);
}

Risk

Likelihood

• Reason 1 : Anyone (including automated scripts / public bots) can call burn() on any token because there is no authorization check.

• Reason 2 : No interaction, approval, or prior condition is required; any external address may call the function immediately after contract deployment or minting.

Impact

• Impact 1 : Permanent destruction of NFTs owned by legitimate users; tokens cannot be recovered.

• Impact 2 : Auction and marketplace state becomes inconsistent: listed tokens may be destroyed mid-auction, bids may become invalid, user balances/metadata are corrupted, and trust in the platform is lost.

Proof of Concept

PoC explanation:

1. Deploy PoCBurn with the address of the vulnerable BidBeasts contract.

2. Call PoCBurn.burnVictimToken(tokenId) where tokenId belongs to a legitimate user (e.g., an active auction item).

3. Because BidBeasts.burn() lacks a check that msg.sender is owner/approved, the target.burn(tokenId) call will succeed and _burn() will permanently remove ownership/state for that token.

4. The NFT is irrecoverably destroyed, auctions referencing it break, and owner value is lost.

Recommended Mitigation**:**

• The require(ownerOf(_tokenId) == msg.sender, ...) check ensures that only the current token owner can call burn. This prevents arbitrary accounts from destroying others’ tokens.