Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Use of _mint Instead of _safeMint in EggstravaganzaNFT::mintEgg

molaratai

Summary

// EggstravaganzaNFT.sol
function mintEgg(address to, uint256 tokenId) external returns (bool) {
require(msg.sender == gameContract, "Unauthorized minter");
@> _mint(to, tokenId);
totalSupply += 1;
return true;
}

The NFT contract implements token minting using the _mint function rather than _safeMint. While testing confirms that the current implementation allows NFTs to be successfully minted to contract addresses and subsequently transferred/withdrawn, this approach deviates from ERC-721 best practices.

Impact

Low: The current implementation functions correctly while minting to EOA's. However, using _mint instead of _safeMint creates a risk that tokens could become permanently locked if minted to a contract that doesn't support ERC-721 tokens but wasn't tested in the current implementation.

Tools Used

Manual review

Recommendations

Replace _mint with _safeMint to follow industry best practices and prevent potential token lockup scenarios:

function mintEgg(address to, uint256 tokenId) external returns (bool) {
require(msg.sender == gameContract, "Unauthorized minter");
- _mint(to, tokenId);
+ _safeMint(to, tokenId);
totalSupply += 1;
return true;
}
Updates

Lead Judging Commences

m3dython Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Unsafe ERC721 Minting

Protocol doesn't check if recipient contracts can handle ERC721 tokens

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.