Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

NFTs with the same address, but different tokenId can't be claimed

0xdimo

Summary

The protocol exposes functionality to split an NFT to ERC20s, which we call pieces. Each NFT can later be claimed back if a user decides to collect all the pieces and exchange them back for the NFT.

The vulnerable part is that the claimNft function will only take nftAddress as a parameter. This means that the user can't specify the tokenId, which he'd like to claim. Considering that the nftToErc20Info storage variable is never cleared of the claimed NFTs, this would cause previously divided NFTs with the same address, but different tokenIds to be forever stuck in the protocol.

PoC

function testDuplicateNFTAddress() public {

//NFT 0 is divided by USER

vm.startPrank(USER);

erc721Mock.approve(address(tokenDivider), TOKEN_ID);

tokenDivider.divideNft(address(erc721Mock), TOKEN_ID, AMOUNT);

ERC20Mock erc20Mock = ERC20Mock(tokenDivider.getErc20InfoFromNft(address(erc721Mock)).erc20Address);

console.log("ERC20 Token addres is: ", address(erc20Mock));

vm.stopPrank();

//NFT 1 is divided by USER2

vm.startPrank(USER2);

erc721Mock.approve(address(tokenDivider), 1);

tokenDivider.divideNft(address(erc721Mock), 1, AMOUNT);

ERC20Mock erc20Mock2 = ERC20Mock(tokenDivider.getErc20InfoFromNft(address(erc721Mock)).erc20Address);

console.log("ERC20 Token addres is: ", address(erc20Mock2));

vm.stopPrank();

vm.startPrank(USER);

vm.expectRevert(TokenDivider.TokenDivider__NotEnoughErc20Balance.selector);

//fails as USER does not have enough ERC20s for NFT 1

tokenDivider.claimNft(address(erc721Mock));

vm.stopPrank();

}

Impact

NFTs with the same address, but different tokenIds will be forever stuck in the protocol.

Tools Used

Manual Review

Recommendations

Add the parameter of tokenId to claimNft function.

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Wrong nft collection handling

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.