Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious user can steal the Eggs NFT

namx05

Summary

The depositEgg function allows anyone to claim ownership of an NFT that has been transferred to the vault. This creates a race condition where attackers can frontrun legitimate deposits and steal NFTs.

Vulnerability Details

The depositEgg function only checks if the NFT is in the vault, but not who sent it. When a user sends their NFT to the vault and tries to call depositEgg to claim it, a frontrunner can watch the mempool and call depositEgg first, setting themselves as the depositor. Since the NFT is already in the vault, the frontrunner's transaction succeeds, making them the recorded owner who can later withdraw the NFT.

Impact

Malicious user can steal any NFT sent to the vault by frontrunning the legitimate depositor's transaction.

Tools Used

Manual

Recommendations

Implement a deposit pattern that combines the transfer and registration in a single tx.

+ function safeDeposit(uint256 tokenId) public {
+ // Transfer directly from sender to vault
+ eggNFT.transferFrom(msg.sender, address(this), tokenId);
+
+ // Register the deposit
+ require(!storedEggs[tokenId], "Egg already deposited");
+ storedEggs[tokenId] = true;
+ eggDepositors[tokenId] = msg.sender;
+ emit EggDeposited(msg.sender, tokenId);
+ }
Updates

Lead Judging Commences

m3dython Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Frontrunning Vulnerability DepositEgg

Front-running depositEgg allows deposit ownership hijacking.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!