Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Use of transferFrom in withdrawEgg Risks NFT Loss to Incompatible Contracts

goraleksanyann

Summary

The withdrawEgg function in the EggVault contract uses transferFrom to transfer NFTs, which does not verify if the recipient can safely receive ERC721 tokens. This could result in NFTs being irreversibly locked in contracts that do not support ERC721, leading to asset loss.

Vulnerability Details

eggNFT.transferFrom(address(this), msg.sender, tokenId);

This function blindly transfers the NFT to msg.sender without checking if it’s a contract capable of receiving ERC721 tokens. If the recipient is a contract that does not implement onERC721Received, the NFT will be permanently stuck.

Using safeTransferFrom instead adds a safety mechanism: it checks if the recipient (if a contract) correctly implements the ERC721 receiver interface. If not, the transaction reverts, preventing the transfer and loss of the NFT.

Impact

NFTs may be sent to contracts that do not handle ERC721 tokens, resulting in permanent loss of ownership.

Tools Used

Manual code review

Recommendations

Replace the current transfer call with:

eggNFT.safeTransferFrom(address(this), msg.sender, tokenId);
Updates

Lead Judging Commences

m3dython Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Unsafe ERC721 Transfer

NFTs are transferred to contracts without onERC721Received implementation.

Appeal created

mishoko Auditor
3 months ago
m3dython Lead Judge
3 months ago
mishoko Auditor
3 months ago
m3dython Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Unsafe ERC721 Transfer

NFTs are transferred to contracts without onERC721Received implementation.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.