Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Centralization risk in EggVault NFT contract management

teoslaf

Summary

The EggVault::setEggNFT function allows the owner to change the NFT contract address at any time without notice or transparency, creating a centralization risk that undermines the trustlessness of the vault system.

Vulnerability Details

The vault contract allows the owner to change which NFT contract it recognizes without any restrictions or transparency:

## EggVault.sol
function setEggNFT(address _eggNFTAddress) external onlyOwner {
require(_eggNFTAddress != address(0), "Invalid NFT address");
eggNFT = EggstravaganzaNFT(_eggNFTAddress);
}

This creates several vulnerabilities:

  1. The owner can change the NFT contract at any time without notice

  2. No events are emitted when this critical parameter changes

  3. Users have no way to verify which NFT contract is recognized by the vault

  4. No timelock or delay mechanism for such a critical parameter change

Impact

  • The owner can silently change which NFT contract the vault recognizes

  • Could be exploited by a compromised owner account to point to a malicious NFT contract

  • Users who have deposited eggs may find their NFTs no longer recognized by the vault

  • Undermines the trustlessness of the vault system

Tools Used

  • Manual code review

  • Centralization risk assessment

Recommendations

Implement proper event emissions and a timelock mechanism

Updates

Lead Judging Commences

m3dython Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Trusted Owner

Owner is trusted and is not expected to interact in ways that would compromise security

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.