Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Improper Access Control in EggVault's depositEgg Function

hoossayn

Summary

The depositEgg() function in EggVault lacks proper access control, allowing anyone to call it with arbitrary depositor addresses.

Vulnerability Details

The function is declared as public and doesn't verify the caller's identity:

function depositEgg(uint256 tokenId, address depositor) public {
require(eggNFT.ownerOf(tokenId) == address(this), "NFT not transferred to vault");
require(!storedEggs[tokenId], "Egg already deposited");
storedEggs[tokenId] = true;
eggDepositors[tokenId] = depositor;
emit EggDeposited(depositor, tokenId);
}

Impact

A malicious actor could call this function with someone else's address as the depositor parameter, preventing the actual owner from withdrawing their NFT since withdrawEgg() requires the caller to match the recorded depositor.

Tools Used

Code review

Recommendations

Restrict depositEgg() to be called only by the game contract or implement a role-based access control system. Also consider adding a way for the owner to rescue incorrectly deposited NFTs.

// Add a modifier or check
function depositEgg(uint256 tokenId, address depositor) public {
require(msg.sender == address(gameContract), "Only game contract can deposit");
// Rest of the function
}
Updates

Lead Judging Commences

m3dython Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Frontrunning Vulnerability DepositEgg

Front-running depositEgg allows deposit ownership hijacking.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!