Lack of Input Validation in the `divideNft` function
Summary
Absence of checks and validations to ensure that the ERC-20 and ERC-721 complies with token and contract standards in the divideNftfunction on ln. 109
Vulnerability Details
Firstly the divideNft function is heavily dependent on unverified and unchecked assumptions about the validity of newly created ERC-20 contract and there are no checks to confirm that ERC-20 contract adheres with token standards.
Secondly, the divideNft function relies on the onlyNftOwnermodifier, which checks if the caller of the contract is the owner of the NFT. This assumes that the NFT is compliant to ERC-721 standards and that ownership cannot be spoofed and/or circumvented
Impact
If the token and NFT contract do not strictly follow ERC-20 and ERC-721 standards, bad actors and malicious users will have free run and call the divideNft function indiscriminately
Tools Used
Manual code review and analysis
Recommendations
First, use and implement a vetted factory pattern to create ERC-20 tokens and ensure that newly created contracts conform and adhere to ERC-20 token standards.
Secondly, add proper validation, like checking interface support using supportsInterface to ensure compatibility with ERC-721 NFT standards
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.