Front-Run Vulnerability in depositEgg Allows Unauthorized Depositor Assignment
Summary
The depositEgg function in the EggVault contract does not validate that the depositor address matches the rightful owner of the NFT. This allows an attacker to front-run a legitimate user and register a malicious address as the depositor, effectively hijacking the egg.
Vulnerability Details
The function accepts a depositor parameter without validation. This lets any user call depositEgg with any arbitrary address, which is then stored in the eggDepositors mapping. An attacker can front-run a pending legitimate deposit and insert their own address, allowing them to later withdraw the egg using withdrawEgg.
Impact
Attackers can claim ownership of NFTs by front-running deposits, leading to unauthorized withdrawals and potential permanent loss of user assets.
Tools Used
Manual code review
Recommendations
Remove the
depositorparameter fromdepositEgg.Use
msg.senderor a trusted address likeEggHuntGamethat manages user assets as the depositor, ensuring accurate ownership tracking.
Lead Judging Commences
Frontrunning Vulnerability DepositEgg
Front-running depositEgg allows deposit ownership hijacking.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.