✅Safe NFT

Idea

Obvious reentrancy in claim(), we can build an attack contract which implements IERC721Receiver.onERC721Received(). Don't forget this function should return a 4-byte function selector IERC721Receiver.onERC721Received.selector.

PoC

https://github.com/ret2basic/QuillCTF-PoC/blob/main/safeNFT/test/safeNFT.t.sol

safeNFT PoC