Submission Details
Severity:
Missing Approval Checks in EggVault Deposits
Summary:
The depositEgg function inside EggVault.sol doesn't verify if the vault was approved to transfer the NFT.
function depositEgg(uint256 tokenId, address depositor) public {
require(eggNFT.ownerOf(tokenId) == address(this), "NFT not transferred to vault");
require(!storedEggs[tokenId], "Egg already deposited");
storedEggs[tokenId] = true;
eggDepositors[tokenId] = depositor;
emit EggDeposited(depositor, tokenId);
}
Vulnerability Details:
The function only checks current ownership:
require(eggNFT.ownerOf(tokenId) == address(this), "NFT not transferred to vault");
But doesn't verify the depositor actually approved the transfer, which could lead to inconsistent state if NFTs are force-transferred.
Impact
Medium - Could result in improperly recorded deposits.
Tools Used:
Manual Review
Recommendations
Add approval checks after the below line
require(eggNFT.ownerOf(tokenId) == address(this), "NFT not transferred to vault");
+ require(
+ eggNFT.getApproved(tokenId) == address(this) ||
+ eggNFT.isApprovedForAll(depositor, address(this)),
+ "Not approved"
+ );
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.