Pieces Protocol
First Flight #32
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Documentation and Implementation Mismatch in buyOrder Function

0x180db

Summary

The documentation for the buyOrder function states it accepts "ETH or any token" for payment, but the implementation only accepts ETH payments via msg.value.

Vulnerability Details

There is a discrepancy between the documentation and implementation of the buyOrder function:

Documentation comment states:

@dev when the buyer call this function, the eth or any token accepted to pay, is sent to the seller

However, the implementation only accepts ETH payments:

function buyOrder(uint256 orderIndex, address seller) external payable {
// Only checks msg.value
if(msg.value < order.price) {
revert TokenDivider__IncorrectEtherAmount();
}
// Only handles ETH transfers
(bool success, ) = payable(order.seller).call{value: (order.price - sellerFee)}("");
}

Impact

  • Misleading documentation could cause integration issues

  • Developers may build incorrect integrations based on documentation

Tools Used

Manual code review

Recommendations

  1. Update the documentation to clearly state that only ETH payments are accepted:

@dev when the buyer calls this function, ETH payment is sent to the seller

  1. Or modify the implementation to accept token payments as documented by:

  • Adding parameters for payment token address

  • Adding token transfer logic

  • Implementing proper token approval checks

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.