Reentrancy in withdrawEgg()
Summary
Violates Checks-Effects-Interactions
Vulnerability Details
function withdrawEgg(uint256 tokenId) public {
// State updated BEFORE external call
storedEggs[tokenId] = false;
delete eggDepositors[tokenId];
eggNFT.transferFrom(address(this), msg.sender, tokenId); // 🚨 Reentrancy risk
}
Impact
A malicious NFT contract could re-enter and drain the vault
Tools Used
manual review
Recommendations
this snippet can be used for fix
function withdrawEgg(uint256 tokenId) external nonReentrant {
require(storedEggs[tokenId], "Egg not in vault");
require(eggDepositors[tokenId] == msg.sender, "Not depositor");
storedEggs[tokenId] = false;
delete eggDepositors[tokenId];
eggNFT.transferFrom(address(this), msg.sender, tokenId); // Safe after state update
}
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.