Unsafe NFT minting allows permanent token lockup
Description:
The EggstravaganzaNFT contract uses the unsafe _mint() function instead of _safeMint() when creating new NFT tokens. The _mint() function lacks the necessary checks to verify that contract recipients are capable of handling ERC721 tokens. This creates a significant vulnerability where NFT tokens can be permanently locked if minted to a contract address that doesn't implement the onERC721Received() interface.
Attack path:
A user participates in the egg hunt game and successfully finds an egg
The user's address happens to be a smart contract that doesn't implement the
onERC721Received()interfaceThe
EggHuntGamecontract callseggNFT.mintEgg(msg.sender, eggCounter)The
mintEggfunction uses_mint()to create the token and assign it to the contract addressThe transaction succeeds, but the token is now permanently locked in the recipient contract with no way to access or transfer it
Impact:
Permanent loss of NFT assets for users who are smart contracts without ERC721 receiving capability
Inconsistent game state as tokens are counted as "minted" but are effectively inaccessible
Recommended Mitigation:
Replace _mint() with _safeMint() in the mintEgg() function to ensure proper verification of the recipient:
Lead Judging Commences
Unsafe ERC721 Minting
Protocol doesn't check if recipient contracts can handle ERC721 tokens
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.