Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Реализация безопасности перевода

nikita10012021

Summary

Transfer functions are implemented in all contracts related to token transfer

Vulnerability Details

Предложение сделать контракт более безопасным перейдя от transferFrom к safeTransferFrom. Да это будет требовать больше затрат газа, но увеличит в разы безопасность.

Impact

Attackers can get hold of a large number of tokens without additional checks

Tools Used

Recommendations

Change transferFrom to safeTransferFrom and make further changes to make the contract and safeTransferFrom checks work correctly.
Also add to the EggHuntGame contract to make it compatible with the EggVault contract:

function depositEggToVault(uint256 tokenId) external nonReentrant {

require(eggNFT.ownerOf(tokenId) == msg.sender, “Not owner of this egg”);
// Use safeTransferFrom instead of transferFrom
eggNFT.safeTransferFrom(msg.sender, address(eggVault), tokenId);

mport "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
contract EggVault is Ownable, IERC721Receiver {
function onERC721Received(
address operator,
address from,
uint256 tokenId,
bytes calldata data
) external override returns (bytes4) {
require(msg.sender == address(eggNFT), "Only EggstravaganzaNFT allowed");
require(operator == eggHuntGame, "Only EggHuntGame can deposit");
storedEggs[tokenId] = true;
eggDepositors[tokenId] = from;
emit EggDeposited(from, tokenId);
return this.onERC721Received.selector;
}
function withdrawEgg(uint256 tokenId) external {
require(storedEggs[tokenId], "Egg not in vault");
require(eggDepositors[tokenId] == msg.sender, "Not the original depositor");
storedEggs[tokenId] = false;
delete eggDepositors[tokenId];
eggNFT.safeTransferFrom(address(this), msg.sender, tokenId);
emit EggWithdrawn(msg.sender, tokenId);
}
function isEggDeposited(uint256 tokenId) external view returns (bool) {
return storedEggs[tokenId];
}
function withdraw() external onlyOwner {
payable(owner()).transfer(address(this).balance);
Updates

Lead Judging Commences

m3dython Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!