Eggstravaganza

Summary

The EggVault contract’s depositEgg function lacks proper access control, allowing anyone to call it and assign ownership of an NFT to an arbitrary address after transferring it to the Vault. This vulnerability enables attackers to steal ownership of deposited NFTs, bypassing the intended game mechanics.

Vulnerability Details

The depositEgg function in EggVault is defined as public without caller restrictions:

Key issues:

• No Caller Restriction: Any address can call depositEgg and set depositor to themselves or another address, as long as the NFT is already in the Vault.

• Interaction with EggHuntGame: While EggHuntGame.depositEggToVault calls this function correctly, an attacker can bypass it by:

  1. Transferring an NFT to the Vault via eggNFT.transferFrom.

  2. Calling depositEgg directly with their own address as depositor.

An attacker can:

• Transfer an NFT to the Vault independently.

• Register it under their address, effectively claiming ownership.

• Later call withdrawEgg to retrieve it.

Impact

This vulnerability disrupts the system:

1. NFT Theft: Attackers can claim ownership of NFTs deposited by others, stealing assets.

2. Game Integrity: Bypasses the intended deposit flow through EggHuntGame, breaking gameplay rules.

3. Economic Loss: Stolen NFTs reduce trust and value in the ecosystem.

4. Player Frustration: Legitimate players lose control over their assets, potentially abandoning the game.

Tools Used

• Manual code review

• Solidity compiler analysis (version ^0.8.23)

• Scenario testing with hypothetical attack contracts

Recommendations

1. Restrict Caller Access:

   • Limit depositEgg to only be callable by the EggHuntGame contract.

2. Validate Depositor:

   • Ensure depositor matches the actual sender or NFT owner at transfer time (though current design relies on EggHuntGame).

Example Implementation