Vulnerability Details

The Pieces Protocol allows users to make NFTs liquid by dividing them into multiple ERC20 tokens that can be traded.

However, the internal user balances of the Pieces protocol do not track the ERC20 tokens that have been acquired from outside the protocol. For example, if a user has acquired 4/5 fractions of the NFT via the Pieces Protocol and the last fraction by direct transfer or through a DEX/CEX, then the user will not be able to call TokenDivider::claimNft to exchange their fractions for the full NFT.

The same issue applies to TokenDivider::transferErcTokens and TokenDivider::sellErc20, which use the internal balances and, therefore, will not allow the transfer of fractions acquired from outside the Pieces Protocol.

Impact

ERC20 token fractions acquired from outside the Pieces protocol will not be usable within the protocol. This behavior contradicts the business logic of the protocol, which is designed to render an NFT liquid by fractioning it.

Recommendations

Remove the internal balances and rely on ERC20::balanceOf instead.