Pieces Protocol

First Flight #32
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Severity: high
Invalid

Reentrancy Vulnerabilities in Key Functions

Description:
Reentrancy vulnerabilities detected

Affected Functions:

  1. TokenDivider.claimNft(address)

    • External call:

      ERC20ToGenerateNftFraccion(tokenInfo.erc20Address).burnFrom(msg.sender, erc20ToMintedAmount[tokenInfo.erc20Address])
    • Updates state variable balances[msg.sender][tokenInfo.erc20Address] after the external call.

  2. TokenDivider.divideNft(address, uint256, uint256)

    • External calls:

      erc20Contract.mint(address(this), amount);
      IERC721(nftAddress).safeTransferFrom(msg.sender, address(this), tokenId);
    • Updates multiple state variables such as balances, erc20ToMintedAmount, erc20ToNft, and nftToErc20Info after the calls.

Impact:

  • Malicious contracts can exploit these functions to manipulate state variables.

  • Funds or assets could be stolen.

Recommendation:

  • Use the checks-effects-interactions pattern:

    1. Update state variables before making external calls.

    2. Use OpenZeppelin's ReentrancyGuard to protect against reentrancy attacks:

      modifier nonReentrant {
      require(!_reentrant, "ReentrancyGuard: reentrant call");
      _reentrant = true;
      _;
      _reentrant = false;
      }
Updates

Lead Judging Commences

fishy Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.