Submission Details
Severity:
Use of transferFrom() Instead of safeTransferFrom()
Summary
The withdrawEgg() function uses transferFrom() to return NFTs, which may result in tokens being stuck in recipient contracts.
Vulnerability Details
In the withdrawEgg(uint256 tokenId) function, eggNFT.transferFrom(address(this), msg.sender, tokenId) is used. If msg.sender is a smart contract without ERC721 support, the NFT will be sent but stuck.
function withdrawEgg(uint256 tokenId) public {
require(storedEggs[tokenId], "Egg not in vault");
require(eggDepositors[tokenId] == msg.sender, "Not the original depositor");
storedEggs[tokenId] = false;
delete eggDepositors[tokenId];
eggNFT.transferFrom(address(this), msg.sender, tokenId);
emit EggWithdrawn(msg.sender, tokenId);
}
Impact
Users could lose access to their NFTs if they withdraw to a smart contract that doesn't support ERC721 receiving.
Tools Used
Manual code review
Updates
Lead Judging Commences
m3dython 8 months ago
Submission Judgement Published Assigned finding tags:
Unsafe ERC721 Transfer
NFTs are transferred to contracts without onERC721Received implementation.
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.