Unsafe NFT Minting in LPNFT Contract May Lead to Stuck Tokens
Summary
The LPNFT contract uses unsafe NFT minting which could lead to tokens being permanently stuck if sent to contracts that don't support NFT handling.
Vulnerability Details
In the LPNFT contract, NFTs are minted using the standard mint() function rather than safeMint(). This means there is no validation that the recipient can actually handle NFTs.
The issue occurs in the minting logic:
This is problematic because:
Smart contracts that don't implement
onERC721Received()will not be able to handle the NFTThe NFT could become permanently stuck if sent to such a contract
This prevents legitimate smart contract wallets from properly interacting with the protocol
The standard mint() function does not check if the recipient is capable of handling NFTs, while safeMint() includes this validation by checking for onERC721Received() implementation.
Impact
Loss of funds - NFTs and their associated liquidity positions could become permanently stuck if minted to incompatible contracts.
Tools Used
Manual Review
Recommendations
Replace the unsafe mint() call with safeMint() to ensure recipients can handle NFTs:
This change will:
Validate that recipients can handle NFTs before minting
Allow safe interaction with smart contract wallets
Prevent NFTs from becoming stuck in incompatible contracts
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.