Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Public depositEgg Function

sergei2340

Summary

The depositEgg function is public, allowing anyone to call it with any tokenId owned by the vault and set any depositor.

Vulnerability Details

The function checks eggNFT.ownerOf(tokenId) == address(this), but lacks caller restrictions, allowing manipulation. For example, if a player transfers an NFT to the vault and calls depositEgg with their address, they can set themselves as the depositor, bypassing intended ownership checks.

Impact

Unauthorized users could transfer NFTs to the vault and claim ownership by calling depositEgg, enabling them to withdraw eggs they didn't deposit.

Tools Used

  • Manual code review

  • Solidity best practices and ERC721 standard guidelines

  • Grok by xAI

Recommendations

Restrict depositEgg to only be callable by the EggHuntGame contract or owner. Add a gameContract variable and modify the function:

address public gameContract;
function setGameContract(address _gameContract) external onlyOwner {
require(_gameContract != address(0), "Invalid game contract address");
gameContract = _gameContract;
}
function depositEgg(uint256 tokenId, address depositor) public {
require(msg.sender == gameContract || msg.sender == owner(), "Only game contract or owner can deposit");
require(eggNFT.ownerOf(tokenId) == address(this), "NFT not transferred to vault");
require(!storedEggs[tokenId], "Egg already deposited");
storedEggs[tokenId] = true;
eggDepositors[tokenId] = depositor;
emit EggDeposited(depositor, tokenId);
}
Updates

Lead Judging Commences

m3dython Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Frontrunning Vulnerability DepositEgg

Front-running depositEgg allows deposit ownership hijacking.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!