Eggstravaganza

Summary

The depositEggToVault function allows users to deposit NFTs into the EggVault contract. However, it does not enforce internal access control on the vault side and relies on an external input for identifying the depositor, which can be unsafe if misused or front-run.

Vulnerability Details

• Although the function verifies that msg.sender owns the NFT before transferring it to the vault, it passes the depositor (msg.sender) to depositEgg, which is a public method on the vault contract.

• If the depositEgg function on the EggVault does not enforce access control or ownership checks itself, a malicious actor could call it directly or front-run legitimate deposits to claim others’ NFTs.

• The security of this function relies on the assumption that the depositEgg function behaves securely and isn't externally callable or misused—which is not enforced here.

Impact

An attacker could potentially claim ownership of NFTs deposited into the vault if the vault contract allows setting depositor values from external callers without proper verification. This could lead to loss of assets for legitimate players.

Tools Used

Manual Review

Recommendations

• Do not rely on external input for the depositor. The vault should determine the depositor from msg.sender.

• Remove the msg.sender argument and enforce ownership inside the vault contract.

• Alternatively, perform the full NFT transfer and depositor registration atomically within the vault, so external calls like depositEgg cannot be exploited