Eggstravaganza

​

**Description:** `EggVault::depositEgg` requires that the token is first transfered to the `EggVault` contract. If a player wants to deposit his token wihtout using the function `EggHuntGame::depositEggToVault` he must first transfer ownership of the token to the vault and then call the function `depositEgg` leaving a window for an attacker to claim the token

​

**Impact:** Any player who choses to not use the `EggHuntGame::depositEggToVault` to deposit their token into the vault is susceptible to losing their token if an attacker calls the function `EggVault::depositEgg` after the player transfered the ownership and before he could call `EggVault::depositEgg` himself

​

1. Player finds the eggNFT

2. Player transfers the ownership of the eggNFT to the vault to be later deposited

3. Attacker calls the function `EggVault::depositEgg` before the player could

4. The token is deposited with the value of the depositor equals the address of the attacker

5. Player gets his transaction reverted because the token is already assigned to the attacker

​

function testStealToken() public {

​

​

**Recommended Mitigation:** Modify the `EggVault::depositEgg` to require that the msg.sender is the initial owner of the token not the vault.

​

- function depositEgg(uint256 tokenId, address depositor) public {

+ function depositEgg(uint256 tokenId) public {

​

- require(eggNFT.ownerOf(tokenId) == address(this), "NFT not transferred to vault");

+ require(eggNFT.ownerOf(tokenId) == msg.sender, "NFT not owned by the sender");

- eggDepositors[tokenId] = depositor;

+ eggDepositors[tokenId] = msg.sender;

- emit EggDeposited(depositor, tokenId);

+ emit EggDeposited(msg.sender, tokenId);

​

​