Eggstravaganza

First Flight #37

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Invalid NFT Contract Address Vulnerability in setEggNFT Function

raichu

Summary

The setEggNFT function is designed to set the address of the EggstravaganzaNFT contract in the vault. However, there is a small vulnerability in the code that allows anyone to set the NFT contract address to an invalid one, potentially causing issues with the contract in the future.

Vulnerability Details

Function: setEggNFT(address _eggNFTAddress)

Vulnerability: The function checks if the address is not the zero address (address(0)), which is a good practice. However, it does not check if the address provided is actually a valid contract. This means that someone could mistakenly or maliciously provide an address that is not a contract (like a regular user’s address or a non-functional address). If this happens, the contract may break when trying to interact with the NFT contract.
issue with current code : The function does not check if the given address is a valid contract address, meaning someone could accidentally or intentionally set it to an address that doesn’t point to a contract.

require(_eggNFTAddress != address(0), "Invalid NFT address");
eggNFT = EggstravaganzaNFT(_eggNFTAddress);

Impact

Severity: Low

What’s at Risk: If someone provides an invalid address that isn’t a contract, the contract will fail when trying to interact with it, causing errors or disruptions. The contract will try to call functions on the invalid address, and the operation will fail.
Potential Consequences:
- The contract may break, leading to operations like deposits or withdrawals failing.
- It can create confusion or loss of functionality if the wrong address is set.

Tools Used

Manual Code Review

Recommendations

To prevent the risk of setting an invalid address for the NFT contract, it’s recommended to:

Check for a valid contract address: Ensure that the provided address is actually a contract address and not a regular user address.
Ensure address is not zero: Continue checking that the address is not the zero address (address(0)), which is a common best practice.

uint256 size;
assembly {
size := extcodesize(_eggNFTAddress)
}
require(size > 0, "Address is not a contract");

Updates

Lead Judging Commences

m3dython Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

129

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.