Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

setEggNFT Address Update Vulnerability

balakchiev

Summary

The setEggNFT function allows the owner to update the eggNFT address. Changing this address without safeguards can make deposited NFTs inaccessible, as the contract will reference a new NFT contract that doesn’t hold the original tokens.

Vulnerability Details

The vulnerable function is:

function setEggNFT(address _eggNFTAddress) external onlyOwner {
require(_eggNFTAddress != address(0), "Invalid NFT address");
eggNFT = EggstravaganzaNFT(_eggNFTAddress);
}

The function updates eggNFT to a new address but doesn’t check compatibility with deposited NFTs. If the contract holds NFTs in the original EggstravaganzaNFT contract, changing eggNFT to a new address breaks access to those NFTs, as subsequent operations target the new contract.

Impact

Users may lose access to deposited NFTs, resulting in financial loss. Functions relying on eggNFT will fail for existing tokens, breaking contract functionality. This could harm the project’s reputation.

Tools Used

Manual code review.

Recommendations

Updates

Lead Judging Commences

m3dython Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

State corruption

Changing the NFT contract address doesn't update the storedEggs and eggDepositors mappings

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.