Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Uninitialized NFT Contract Address Validation Missing

albert

Summary

The depositEgg function in EggVault.sol fails to verify whether the NFT contract address (eggNFT) has been properly initialized. This omission could lead to transaction failures and unexpected behavior when interacting with the contract before the NFT address is configured.

Vulnerability Details

The vulnerable code is located in the deposit function:

function depositEgg(uint256 tokenId, address depositor) public {
require(eggNFT.ownerOf(tokenId) == address(this), "..."); // ❌
// ...other checks...
}

The contract does not include a validation check for the eggNFT address initialization before accessing its methods. If the owner forgets to call setEggNFT() after deployment, any attempt to call depositEgg will attempt to interact with address(0), resulting in:

  1. Failed low-level calls to non-existent contract

  2. Reverted transactions for legitimate users

  3. Protocol functionality deadlock until configuration

Impact

• Temporary denial-of-service for vault operations
• Damaged user experience due to failed transactions
• Requires emergency owner intervention to fix
• Potential loss of protocol credibility

Tools Used

Manual code review

Recommendations

Critical Fix:

function depositEgg(uint256 tokenId, address depositor) public {
require(address(eggNFT) != address(0), "NFT contract not initialized"); // ✅
require(eggNFT.ownerOf(tokenId) == address(this), "...");
// ...remaining logic...
}
Updates

Lead Judging Commences

m3dython Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.