Lack of onERC721Received() function will result in NFTs trapped in the vault
Description:
The EggVault contract is designed to store ERC721 tokens (NFT eggs), but it does not implement the IERC721Receiver interface, which includes the critical onERC721Received() function. This function is required for contracts to properly receive ERC721 tokens. Currently, the protocol uses transferFrom() instead of safeTransferFrom() in the depositEggToVault() function, which bypasses the safety check and will lead to a successful transfer of the NFT to the contract address, causing it to get stuck there.
Attack path:
1) A user deposits an NFT into the EggVault using the current depositEggToVault() function that uses transferFrom()
2) The deposit succeeds because transferFrom() doesn't check for proper receiver implementation
3) NFT is locked in EggVault contract
Impact:
NFTs transferred into the EggVault contract will be permanently locked there with no possibility of transferring them out.
Recommended Mitigation:
Implement the IERC721Receiver interface and onERC721Received() function in the EggVault contract
Lead Judging Commences
Unsafe ERC721 Transfer
NFTs are transferred to contracts without onERC721Received implementation.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.