M-1 We can use safemint function instead of _mint() function of ERC721 contract
Summary
The mintEgg function in the smart contract uses the _mint function instead of _safeMint, introducing a potential vulnerability when interacting with smart contracts that do not properly implement the IERC721Receiver interface. This can lead to token loss or unexpected behavior.
Vulnerability Details
The function:
uses the low-level _mint method to mint ERC-721 tokens. However, _mint does not check whether the recipient address (to) is a smart contract and whether it implements the onERC721Received function from the IERC721Receiver interface. If the token is minted to a contract that doesn't handle ERC721 tokens correctly, the token may be permanently locked or lost.
Impact
If an attacker or a user mistakenly or maliciously sets the recipient address to a non-compliant smart contract, the newly minted NFT could be locked forever, rendering it inaccessible and essentially bricked. This can result in loss of assets, especially in gaming or collectible NFT ecosystems where every asset may carry significant value.
Tools Used
Manual Code Review
Solidity Language Specification
OpenZeppelin Documentation
Recommendations
Replace _mint with _safeMint to ensure the safety of token transfers to contracts:
The _safeMint function includes a check to verify that the recipient address is capable of handling ERC721 tokens, preventing accidental minting to contracts that can't process or return tokens correctly.
This simple change ensures compliance with the ERC721 standard and avoids critical pitfalls that may result in permanent token loss.
Lead Judging Commences
Unsafe ERC721 Minting
Protocol doesn't check if recipient contracts can handle ERC721 tokens
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.