Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Lack of Interface Compliance in EggVault

0xriz0

Summary

The EggVault contract did not implement the IERC721Receiver interface, which would prevent it from safely receiving NFTs via safeTransferFrom().

Vulnerability Details

Without implementing onERC721Received(), the vault will reject all transfers made with safeTransferFrom(), causing transactions to revert. This breaks ERC721 compatibility and limits safe integration with wallets and other NFT-aware contracts.

Additionally, without this interface, the vault cannot track who deposited the NFT using the secure from parameter. This leads to reliance on insecure external calls such as depositEgg(), which are exposed to spoofing and frontrunning attacks.

Impact

  • Deposits using safeTransferFrom() will fail.

  • Contracts and wallets cannot safely send NFTs to the vault.

  • Insecure deposit tracking increases attack surface.

Tools Used

  • Manual code inspection

  • Solidity docs

  • OpenZeppelin ERC721 spec

Recommendations

// SPDX-License-Identifier: SEE LICENSE IN LICENSE
pragma solidity ^0.8.23;
import "@openzeppelin/contracts/access/Ownable.sol";
import "./EggstravaganzaNFT.sol";
+ import "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol"

  • Import and implement IERC721Receiver in the vault.

  • Handle all depositor registration inside onERC721Received().

  • Test compatibility with safeTransferFrom() flows.

  • Eliminate reliance on external deposit functions.

Updates

Lead Judging Commences

m3dython Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Unsafe ERC721 Transfer

NFTs are transferred to contracts without onERC721Received implementation.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.