Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Changing NFT address post-deposit locks deposited NFTs in vault

0xnbvc

Vulnerability Details

The setEggNFT function allows the owner to change the eggNFT contract address after deployment. If eggs from the original NFT contract are deposited and the owner subsequently calls setEggNFT to point to a different NFT contract, the withdrawal mechanism breaks.

/// @notice Set the NFT contract address.
function setEggNFT(address _eggNFTAddress) external onlyOwner {
require(_eggNFTAddress != address(0), "Invalid NFT address");
//@audit-issue changing the NFT address will break the mappings and the withdraw function will fail
eggNFT = EggstravaganzaNFT(_eggNFTAddress);
}

The withdrawEgg function will later attempt to call transferFrom on the new eggNFT instance using a tokenId associated with the original contract, causing the withdrawal to fail revert because the vault doesn't own that token ID on the new contract.

Impact

Deposited NFTs become permanently locked in the EggVault contract, as users cannot withdraw their NFTs if the referenced EggstravaganzaNFT contract address is changed after their deposit.

Recommendation

Initialize the eggNFT address immutably in the constructor and remove the setEggNFT function.

Updates

Lead Judging Commences

m3dython Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

State corruption

Changing the NFT contract address doesn't update the storedEggs and eggDepositors mappings

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.