Pieces Protocol

Summary

Function claimNftfrom TokenDivider.solis vulnerable to a reentrancy attack due to an external contract interaction with IERC721.safeTransferFromto transfer the NFT to mesage.sender.

Vulnerability Details

The external call to IERC721.safeTransferFrom occurs after state variables are updated (balances[msg.sender] and erc20ToMintedAmount[tokenInfo.erc20Address] are set to 0).

However, the transfer of the NFT itself could trigger a fallback or hook function (e.g., onERC721Received), which the attacker could use to execute another claim on the same or another contract.

POC:

1. Attacker has enough ETH to meet requirements.

2. Attacker calls claimNft

3. During the execution of IERC721.safeTransferFrom, the attacker executes reentrant logic through the fallback function or hook, allowing them to call claimNft again before the first call completes.

Impact

High: Attacher can unjustly claim multiple NFTs and cause a Dos attack.

Tools Used

Slither and Maual code review.

Recommendations

1. Implement a CEI (Checks, Effects and Interactions) flow make sure everything is in place before making external calls.

2. Use OpenZeppelin's ReentrancyGuard library.