The depositEgg function in the EggVault.sol is public and can be called by anyone, potentially allowing a malicious actor to claim ownership of a deposited egg. We need to add another "require" line so that only the gameContract can call depositEgg.
The current setup could allow anybody to call depositEgg. Currently, we're only verifying that the NFT is owned by the vault and that the NFT is not already deposited.
Potential NFT theft, game integrity, and reputation damage.
Manual code review
Adjust access control: Add the below "require" line within the depositEgg function so that this function can ONLY be called through the gameContract and not directly.
Front-running depositEgg allows deposit ownership hijacking.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.