Unauthorized NFT claim via depositEgg() function due to missing ownership Verification
Summary:
The depositEgg() function lacks a check to verify that the depositor is the original owner of the NFT being deposited. This allows any user to claim NFTs that were directly transferred to the vault.
Vulnerability Details:
The function depositEgg() only checks that the vault contract is the current owner of the NFT and does not validate whether the provided depositor address is actually the original owner of the NFT.
Exploit Scenario:
-
Alice transfers an NFT to the vault manually using eggNFT.transferFrom(alice, vault, tokenId).
-
Another user (Bob), monitoring the blockchain, sees the transfer and quickly calls depositEgg(tokenId, bob).
-
The contract accepts the deposit because the NFT is in the vault, and sets Bob as the depositor (eggDepositors[tokenId] = bob).
Bob is now falsely recognized as the owner/depositor of that NFT inside the vault’s system.
This occurs because the contract does not check that the depositor argument matches the previous owner of the NFT or the caller of the function.
Impact
NFT's ownership hijacking - users can claim NFTs by front-running legitimate deposits.
Tools Used:
Manual review
Recommendation:
Update the function to verify that the caller is the rightful owner of the token, e.g. by using onERC721Received hook
Lead Judging Commences
Frontrunning Vulnerability DepositEgg
Front-running depositEgg allows deposit ownership hijacking.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.