Unsafe NFT Transfers Risk Locking Tokens
Summary
The EggVault contract uses transferFrom for NFT withdrawals instead of the ERC721-standard safeTransferFrom, creating a risk of permanent NFT loss when users withdraw tokens to smart contracts that do not support ERC721. This violates best practices and can lead to irreversible asset locking.
Vulnerability Details
Location:
EggVault::withdrawEgg(uint256 tokenId)
Issue:
The contract uses
transferFromfor NFT transfers, which does not verify if the recipient can handle ERC721 tokens.If an NFT is sent to a contract that does not implement
IERC721Receiver, the transfer succeeds, but the NFT becomes permanently stuck—unable to be recovered.
Attack Scenarios:
Accidental Transfer to Incompatible Contracts
A user withdraws an NFT to a DEX, lending protocol, or other contract not designed to hold NFTs.
The transaction completes, but the NFT is locked forever because the recipient cannot process it.
Root Cause:
The contract fails to comply with EIP-721, which mandates the use of
safeTransferFromfor secure NFT transfers.Missing
IERC721Receiverimplementation in the vault contract.
Impact
This leads to permanent, irreversible loss of user NFTs.
Tools Used
Manual Review
Recommendations
1. Use safeTransferFrom for All Withdrawals
2. Implement IERC721Receiver in EggVault and receiver contract
Lead Judging Commences
Unsafe ERC721 Transfer
NFTs are transferred to contracts without onERC721Received implementation.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.