BURN any ERC721 tokens in DRIFT NFT protocol by just sending the tokenID on the public burn function

[code423n4]

Lines of code

https://github.com/code-423n4/2023-01-drips/blob/main/src/NFTDriver.sol#L244

Vulnerability details

Impact

• Access control plays an important role in segregation of privileges in smart contracts and other applications. If this is misconfigured or not properly validated on sensitive functions, it may lead to loss of funds, tokens, and in some cases, compromise of the smart contract.

• The contract NFTDriver is importing an access control library @openzeppelin/contracts/access/AccessControl.sol but the function burn is missing the modifier onlyRole or onlyAdmins.

Proof of Concept

Call this public burn function by sending the tokenID as an input to the function

function burn(uint256 tokenId) public override whenNotPaused {
        super.burn(tokenId);
    }

• GitHub : https://github.com/code-423n4/2023-01-drips/blob/main/src/NFTDriver.sol#L244

Tools Used

Manual

Recommended Mitigation Steps

• It is recommended to go through the contract and observe the functions that are lacking an access control modifier. If they contain sensitive administrative actions, it is advised to add a suitable modifier to the same

[GalloDaSballo]

Invalid https://github.com/OpenZeppelin/openzeppelin-contracts/blob/3b591a48acaab78008ed39d60fbcf429a83155ca/contracts/token/ERC721/extensions/ERC721Burnable.sol#L23

[c4-judge]

GalloDaSballo marked the issue as unsatisfactory: Invalid