Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

The TokenDivider::transferErcTokens does not validate whether the caller has approved the contract to transfer

freesultan

Summary

If the contract does not have the necessary allowance, the transferFrom call will fail. This can lead to failed transactions.

Vulnerability Details

In the transferErcTokens function, the contract attempts to transfer ERC20 tokens from the caller (msg.sender) to another address (to). However, the function does not validate whether the caller has approved the contract to transfer the specified amount of tokens on their behalf.

function transferErcTokens(address nftAddress,address to, uint256 amount) external {

if(nftAddress == address(0)) {

revert TokenDivider__NftAddressIsZero();

}

if(to == address(0)) {

revert TokenDivider__CantTransferToAddressZero();

}

if(amount == 0) {

revert TokenDivider__AmountCantBeZero();

}

ERC20Info memory tokenInfo = nftToErc20Info[nftAddress];

if(to == address(0)) {

revert TokenDivider__CantTransferToAddressZero();

}

if(balances[msg.sender][tokenInfo.erc20Address] < amount) {

revert TokenDivider__NotEnoughErc20Balance();

}

balances[msg.sender][tokenInfo.erc20Address] -= amount;

balances[to][tokenInfo.erc20Address] += amount;

emit TokensTransfered(amount, tokenInfo.erc20Address);

IERC20(tokenInfo.erc20Address).transferFrom(msg.sender,to, amount);

}

Impact

If the caller has not provided the necessary allowance for the contract to transfer their tokens, the call to transferFrom will fail

Tools Used

Manual Code Review

Recommendations

Ensure that the contract has sufficient approval to transfer the tokens from the sender

+ uint256 allowance = IERC20(tokenInfo.erc20Address).allowance(msg.sender, address(this));

+ if (allowance < amount) {

+ revert TokenDivider__InsufficientAllowance();

+ }

Updates

Lead Judging Commences

fishy Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.