Pieces Protocol
First Flight #32
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Insufficient Ownership Validation After safeTransferFrom on Arbitrary NFT Address

0xadwa

Summary

The vulnerability occurs in the divideNft function because it only checks that the NFT owner is no longer the original owner after the safeTransferFrom call. However, it does not verify whether the NFT was successfully transferred to the contract itself. A malicious NFT contract could override the safeTransferFrom function to transfer ownership of the NFT to an unintended recipient, allowing for exploitation.

Vulnerability Details

IERC721(nftAddress).safeTransferFrom(msg.sender, address(this), tokenId, "");
if(IERC721(nftAddress).ownerOf(tokenId) == msg.sender) { revert TokenDivider__NftTransferFailed(); }

The above logic ensures that the ownership of the NFT is changed from the original owner (msg.sender). However, it does not verify that the TokenDivider contract is the new owner of the NFT. This allows malicious contracts to exploit the vulnerability by transferring ownership to an unintended address while still passing the current check.

Impact

Attackers can repeatedly exploit this vulnerability to mint unbacked tokens and potentially sell them, leading to financial losses for the system and its users.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, explicitly check that the TokenDivider contract becomes the owner of the NFT after the safeTransferFrom call:

if(IERC721(nftAddress).ownerOf(tokenId) != address(this)) { revert TokenDivider__NftTransferFailed(); }

This ensures the NFT is successfully transferred to the contract and prevents exploitation by malicious contracts.

Updates

Lead Judging Commences

fishy Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.