Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Front-Running vulnerability in EggVault's depositEgg function

vito

Summary

The depositEgg function in the EggVault contract is vulnerable to front-running attacks. An attacker can monitor the mempool for NFT transfers to the vault and front-run the legitimate user's depositEgg call, claiming ownership of the deposited NFT. This vulnerability arises because the function does not verify that the caller has any relationship to the NFT being deposited, allowing anyone to register as the depositor once the NFT is in the vault's possession.

Vulnerability Details

This function has two critical issues:

It's publicly callable by anyone, not restricted to the EggHuntGame contract.
It allows the caller to specify any address as the depositor.

The deposit flow requires users to first transfer their NFT to the vault and then call depositEgg as separate transactions. This two-step process creates a time window for an attack:

User transfers their NFT (tokenId) to the vault
Before the user can call depositEgg, an attacker observes the transfer in the mempool
Attacker front-runs the user's depositEgg transaction with their own, specifying themselves as the depositor
The attacker's transaction succeeds because the NFT is already in the vault's possession
The user's subsequent depositEgg call fails with "Egg already deposited"
The attacker is now recorded as the legitimate depositor and can likely withdraw the NFT later

The function only checks that:

The NFT is currently owned by the vault
The NFT hasn't already been registered in storage

It fails to verify that the caller has any legitimate claim to the NFT that was transferred.

Impact

The impact of this vulnerability is severe:

Users can permanently lose their NFTs to attackers
Any value associated with the NFTs (which may be significant for rare or valuable NFTs) is stolen
The trust in the EggVault system is completely undermined

This vulnerability affects all users who attempt to deposit NFTs into the vault. The attack requires minimal technical expertise and resources to execute, making it highly exploitable in a production environment. Since NFTs can hold significant value, financial losses could be substantial.

Tools Used

Foundry

Recommendations

the EggHuntGame contract already implements a proper deposit flow with the depositEggToVault function, the direct access to depositEgg should be restricted.

The recommended approach is to:

Modify the depositEgg function in EggVault to only allow calls from the EggHuntGame contract:

function depositEgg(uint256 tokenId, address depositor) public {

require(msg.sender == address(eggHuntGame), "Only EggHuntGame can deposit");

require(eggNFT.ownerOf(tokenId) == address(this), "NFT not transferred to vault");

require(!storedEggs[tokenId], "Egg already deposited");

storedEggs[tokenId] = true;

eggDepositors[tokenId] = depositor;

emit EggDeposited(depositor, tokenId);

}

Updates

Lead Judging Commences

m3dython Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Frontrunning Vulnerability DepositEgg

Front-running depositEgg allows deposit ownership hijacking.

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!