Submission Details
Severity:
The 'game started' flag is not being checked in the deposit function.
Summary
You're not checking whether the game has started when depositing the NFT into the user's vault.
Vulnerability Details
function depositEggToVault(uint256 tokenId) external {
require(eggNFT.ownerOf(tokenId) == msg.sender, "Not owner of this egg");
// you need to check the game has been started or not
// require(block.timestamp >= startTime, "Game not started yet");
eggNFT.transferFrom(msg.sender, address(eggVault), tokenId);
eggVault.depositEgg(tokenId, msg.sender);
}
require(block.timestamp >= startTime, "Game not started yet"); is missing. Users should not be allowed to deposit NFTs into the vault before the game starts.
Impact
The user hasn't minted any NFTs before the game starts, so there's no point in allowing NFT deposits before the game begins.
Tools Used
vs code
Recommendations
add require(block.timestamp >= startTime, "Game not started yet"); In code.
function depositEggToVault(uint256 tokenId) external {
require(eggNFT.ownerOf(tokenId) == msg.sender, "Not owner of this egg");
require(block.timestamp >= startTime, "Game not started yet");
// The player must first approve the transfer on the NFT contract.
eggNFT.transferFrom(msg.sender, address(eggVault), tokenId);
eggVault.depositEgg(tokenId, msg.sender);
}
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.