📄 Summary

The EggHuntGame contract attempts to transfer NFTs from the user to the EggVault without verifying that the user has approved the game contract to perform the transfer. While this may revert due to standard ERC721 restrictions, the absence of a pre-check results in unclear UX, wasted gas, and potential unexpected reverts during execution.

🛠️ Vulnerability Details

Contract:

Function:

Problem:

This function calls:

Under ERC721 rules, this will revert if msg.sender has not explicitly approved the EggHuntGame or the EggVault contract to transfer their NFT. However, there is no prior check or user-facing validation to ensure the user has done so.

💥 Impact

• Unexpected Reverts: Users unaware of the approval requirement may call depositEggToVault() and experience failed transactions, losing gas.

• Poor UX: Without a user-friendly error message or guidance, users will not understand why the transfer failed.

• Frontend/Integration Failures: Dapps relying on this flow may not handle such reverts gracefully.

🔧 Tools Used

• Manual code review

• ERC721 specification reference (OpenZeppelin)

• UX impact assessment based on transaction reversion patterns

✅ Recommendations

✅ Solution 1: Add Explicit Approval Check

Use OpenZeppelin’s getApproved() or isApprovedForAll() to validate whether the transfer is authorized before attempting it.

✅ Solution 2: Use safeTransferFrom and Implement onERC721Received in EggVault

Using safeTransferFrom() ensures the recipient (EggVault) supports receiving NFTs and enables automatic callback handling:

Ensure EggVault implements:

🎯 Optional Enhancements

• Include an error message for failed approval to be surfaced in frontend UIs.

• Add UI guidance or helper function to prompt users to call approve() on the NFT contract before depositing.