Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Not validating the return value of ERC20 token transfers

sparrowblck

Summary

In multiple functions, the return value of ERC20 transfers isn't checked, which could lead to malfunction of the TokenDivider contract.

Vulnerability Details

The functions TokenDivider::transferErcTokens, sellErc, buyOrder

don't validate the return value of the call to IERC20::transferFrom , and also IERC20::transfer . If these calls fail, returning false, the balances map would still be updated, or the s_userToSellOrders, and a TokensTransfered event emitted.

Impact

A discrepancy between the ERC20 and its respective NFT will cause major disfunction of the contract. Users may not be able to claim an NFT, even if they have collected all the pegged ERC20 tokens.

Tools Used

slitherin

Recommendations

Use the SafeERC20 contract, or validate explicitly that the transfer and transferFrom functions return true, and revert otherwise.

Updates

Lead Judging Commences

fishy Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.