`EggVault` Contract Miss Implemententation of `IERC721` Interface
Summary
EggVault contract didn't implement IERC721Receiver interface by inheriting ERC721Holder, causing transferFrom operations to silently fail when NFTs are sent to it. This leads to permanent loss or locking of NFTs, breaking core game mechanics.
Vulnerability Details
According to the ERC721 standard, any smart contract meant to receive ERC721 tokens must implement the onERC721Received function, returning the correct selector. Failing to do so causes token transfers using safeTransferFrom to revert, or — if transferFrom is used (as in this case) — the token is transferred but gets permanently locked, because the recipient doesn’t acknowledge receipt.
How It Happens:
-
If the recipient is a smart contract, and it does not implement
onERC721Received, the ERC721 token will be stuck. -
In the provided game logic, the
depositEggToVaultfunction transfers NFTs to theEggVaultusingtransferFrom:
Impact
-
Permanent loss of user assets (egg NFTs).
-
State inconsistency between vault and game logic.
-
Player frustration and broken game experience.
-
Reputational risk to protocol.
Tools Used
Manual code review
ERC721 specification
Recommendations
Implement the acceptance check properly by inheriting from OpenZeppelin's ERC721Holder:
Lead Judging Commences
Unsafe ERC721 Transfer
NFTs are transferred to contracts without onERC721Received implementation.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.