Submission Details
Severity:
No Check for Existing Token ID Before Minting in mintEgg Function
Summary
The mintEgg function lets the game contract mint new NFTs. But it doesn’t check if the tokenId has already been used before minting. This can cause the transaction to fail in a confusing way if someone tries to mint a token that already exists.
Vulnerability Details
function mintEgg(address to, uint256 tokenId) external returns (bool) {
require(msg.sender == gameContract, "Unauthorized minter");
_mint(to, tokenId);
totalSupply += 1;
return true;
}
The _mint() function will automatically fail if the token ID already exists — but the contract doesn't check this before calling _mint(). That means:
The error message won’t clearly tell what went wrong.
The whole transaction fails, which can be annoying for users and other smart contracts calling this.
Impact
The transaction can fail unexpectedly.
Users or frontend apps won’t know why it failed.
This makes the minting process less reliable and harder to debug.
Tools Used
OpenZeppelin (for understanding ERC721 _mint() and _exists() functions)
Recommendations
Add a line before _mint() to check if the token already exists
This will stop the function early and show a clear error message if someone tries to mint a duplicate NFT.
require(!_exists(tokenId), "Token already minted");
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.