Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Unauthorized NFT Withdrawal Vulnerability in EggVault Contract

medhasni760

Summary

A critical vulnerability exists in the EggVault contract’s deposit and withdrawal logic. The deposit function relies solely on checking that the NFT is held by the contract, without verifying that the depositor is the rightful owner. This oversight enables a malicious actor to transfer an NFT they do not own into the contract, call the deposit function, and later withdraw the NFT under their control.

Vulnerability Details

Inadequate Ownership Verification:
The deposit function checks if the NFT is owned by the contract using eggNFT.ownerOf(tokenId) == address(this). However, it does not confirm that the depositor is the legitimate owner before depositing the NFT.

Exploitation Flow:
An attacker can transfer any NFT to the contract, regardless of original ownership. By calling depositEgg with the NFT’s token ID and specifying their own address as the depositor, the attacker effectively registers themselves as the depositor. Subsequently, calling withdrawEgg allows the attacker to reclaim the NFT from the contract, even if they are not the original owner.
Comment Indicator:
The inline comment hints at the issue: "nft owned by contract not stored can be stolen?" This underscores the risk that if the NFT is not properly tracked with the rightful owner, it could be withdrawn by an unauthorized party.

https://github.com/CodeHawks-Contests/2025-04-eggstravaganza/blob/main/src/EggVault.sol#L30

Impact

Unauthorized NFT Theft:
Attackers can misappropriate NFTs by depositing tokens they do not own, then withdrawing them to their own address.
Loss of User Assets:
Genuine users risk having their NFTs stolen if an attacker preempts the deposit process by transferring the NFT directly to the contract.
Erosion of Trust:
This flaw could lead to a loss of confidence in the contract’s security, potentially affecting the broader ecosystem or platform that relies on it.

Tools Used

manual audit

Recommendations

Modify the deposit function to ensure that the depositor is the rightful owner before accepting an NFT. For example, incorporate a check using msg.sender and confirm that they are the current owner before the transfer is made.

Updates

Lead Judging Commences

m3dython Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.