Pieces Protocol
First Flight #32
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

`TokenDivider` contract uses local state for fractional token balance, making the ERC20 token balance redundant and inconsistent

vincent71399

Description:

The TokenDivider contract uses local state to manage the fractional token balance,
disregarding the actual balance of the ERC20 token. As a result, the ERC20 token balance becomes redundant and inconsistent with the balance in the local state.

Impact:

Transferring fraction erc20 token directly will not update the local state, breaking the consistency between the local state and the actual balance of the ERC20 token.

Proof of Concept:

add the following in test/unit/TokenDividerTest.t.sol

function testTransferERCFractionOutsideDividerNotSync() public nftDivided {
ERC20Mock fractionToken = ERC20Mock(tokenDivider.getErc20InfoFromNft(address(erc721Mock)).erc20Address);
assertEq(fractionToken.balanceOf(USER), AMOUNT);
assertEq(fractionToken.balanceOf(USER2), 0);
assertEq(tokenDivider.getBalanceOf(USER, address(fractionToken)), AMOUNT);
assertEq(tokenDivider.getBalanceOf(USER2, address(fractionToken)), 0);
uint256 amountToTransfer = AMOUNT/2;
vm.prank(USER);
fractionToken.transfer(USER2, amountToTransfer);
assertNotEq(fractionToken.balanceOf(USER), tokenDivider.getBalanceOf(USER, address(fractionToken)));
assertNotEq(fractionToken.balanceOf(USER2), tokenDivider.getBalanceOf(USER2, address(fractionToken)));
}

and run the test forge test --mt testTransferERCFractionOutsideDividerNotSync

Recommended Mitigation:

Remove the local state for fractional token balance and use the ERC20 token balance directly.

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.