Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing depositor ownership check in depositEgg() __ EggVault.sol

hawks

Summary

The depositEgg function updates the eggDepositors mapping using the provided depositor address, but it does not verify that the token actually belongs to the depositor.

Vulnerability Details

The function lacks a check to ensure that the depositor is the actual owner of the tokenId. This allows any caller to assign any address as the depositor, regardless of ownership.

/// @notice Records the deposit of an egg (NFT).
/// The NFT must already have been transferred to the vault.
function depositEgg(uint256 tokenId, address depositor) public {
require(eggNFT.ownerOf(tokenId) == address(this), "NFT not transferred to vault");
require(!storedEggs[tokenId], "Egg already deposited");
storedEggs[tokenId] = true;
eggDepositors[tokenId] = depositor;
emit EggDeposited(depositor, tokenId);
}

Impact

False depositor attribution — someone can claim another user's egg as theirs.

Could lead to exploits in reward systems, scoring, or ownership claims.

Tools Used

Manual review

Recommendations

Add an ownership check before assigning the depositor:

require(eggNFT.ownerOf(tokenId) == depositor, "Depositor is not the NFT owner");

Updates

Lead Judging Commences

m3dython Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Frontrunning Vulnerability DepositEgg

Front-running depositEgg allows deposit ownership hijacking.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.