Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unsafe Two-Step NFT Deposit Process

0xshaedyw

Summary

The vault's deposit flow requires NFTs to be transferred first and registered later, creating a critical race condition.

Vulnerability Details

  • Location: Interaction between EggHuntGame.depositEggToVault() and EggVault.depositEgg()

  • Technical Issue:

    • Current flow: transferFrom() → separate depositEgg() call

    • Between these steps:

      • NFT already belongs to vault

      • Ownership record doesn't exist yet

  • Attack Scenario:

    1. Alice transfers NFT to vault

    2. Bob front-runs her depositEgg() call

    3. Bob registers himself as depositor

    4. Alice loses withdrawal rights

Impact

  • Theft of deposited NFTs

  • Permanent loss of user funds

Tools Used

  • Manual control flow analysis

Recommendations

  • Encoded Data Transfer

// In EggHuntGame.sol
function depositEggToVault(uint256 tokenId) external {
eggNFT.safeTransferFrom(
msg.sender,
address(eggVault),
abi.encode(msg.sender) // Embed depositor info
);
}
// In EggVault.sol
function onERC721Received(
address,
address,
uint256 tokenId,
bytes calldata data
) external override returns (bytes4) {
address depositor = abi.decode(data, (address));
_registerDeposit(tokenId, depositor);
return this.onERC721Received.selector;
}
Updates

Lead Judging Commences

m3dython Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Frontrunning Vulnerability DepositEgg

Front-running depositEgg allows deposit ownership hijacking.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.