Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

User Confusion Due to Similar Token Names and Symbols

osuolale

Summary

The contract generates ERC20 tokens (ERC20ToGenerateNftFraccion) for each divided NFT. The naming convention used (appending "Fraccion" to the NFT's name and prepending "F" to its symbol) does not sufficiently differentiate these new tokens from the original NFTs or from each other in scenarios where multiple NFTs with similar names are divided.

Code Snippet:

```solidity

ERC20ToGenerateNftFraccion erc20Contract = new ERC20ToGenerateNftFraccion(

string(abi.encodePacked(ERC721(nftAddress).name(), "Fraccion")),

string(abi.encodePacked("F", ERC721(nftAddress).symbol()))

);

```

Vulnerability Details

Impact

1. User Misidentification: Users might mistakenly interact with the wrong token due to the similarity in names and symbols, especially in wallets or interfaces where tokens are listed by these identifiers.

2. Phishing Vulnerability: This naming strategy could be exploited by malicious actors to create tokens with nearly identical names and symbols, leading to potential phishing attacks.

3. Marketplace Confusion: In decentralized marketplaces or DApps, sorting or displaying tokens could become problematic, leading to errors in trading or staking the correct token.

4. Operational Challenges: Developers integrating with the TokenDivider contract might find it hard to differentiate between tokens programmatically if relying solely on name or symbol for identification.

Tools Used

Manual Review

Recommendations

Unique Token Identifiers:

Implement a more distinct naming convention. For instance:

```solidity

ERC20ToGenerateNftFraccion erc20Contract = new ERC20ToGenerateNftFraccion(

string(abi.encodePacked(ERC721(nftAddress).name(), "-Frac-", Strings.toString(uint160(address(this))))),

string(abi.encodePacked("F-", ERC721(nftAddress).symbol(), "-", Strings.toString(uint160(address(this)))))

);

```

This approach uses the contract's address to ensure each token is uniquely named and symbolized.

1. User Education and Interface Design:

Provide clear guidance within the platform or through documentation on how to distinguish fractional tokens from original NFTs.

2. Metadata Enhancement:

Embed detailed metadata in the ERC20 tokens that can be read by client applications, explaining the token's origin and purpose. This includes linking back to the original NFT.

3. API for Token Identification:

Implement additional methods in the contract to help developers and users identify tokens uniquely, perhaps by returning a unique token ID alongside name and symbol.

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.