Eggstravaganza

Summary

The depositEggToVault function allows players to deposit their found Egg NFTs into the associated EggVault contract. However, it does not emit an event upon successful deposit.

Vulnerability Details

When a player successfully deposits an egg NFT into the vault via the depositEggToVault function, the state changes (NFT ownership transfer and internal vault state update). Standard practice dictates that significant state-changing operations should emit events. This allows external parties (like user interfaces, analytics platforms, or other contracts) to react to or track these actions efficiently without needing to constantly query the contract's state. The depositEggToVault function currently lacks such an event.

Impact

The absence of an event for egg deposits makes it harder for off-chain services and users to monitor when eggs are deposited into the vault. This lack of visibility might complicate tracking player actions or integrating the game with external applications that depend on knowing when deposits occur.

Tools Used

Manual Review

Recommendations

Emit an event within the depositEggToVault function to log the deposit action, including relevant details like the depositor, the token ID, and potentially the vault address.

1. Define a new event within the EggHuntGame contract:

   event EggDepositedToVault(address indexed player, uint256 indexed tokenId, address vault);

2. Emit this event at the end of the depositEggToVault function:

   function depositEggToVault(uint256 tokenId) external {

   require(eggNFT.ownerOf(tokenId) == msg.sender, "Not owner of this egg");

   eggNFT.transferFrom(msg.sender, address(eggVault), tokenId);

   eggVault.depositEgg(tokenId, msg.sender);

   emit EggDepositedToVault(msg.sender, tokenId, address(eggVault)); // Add this line

   }