Pieces Protocol

Summary

The transferErcTokens function in the TokenDivider contract does not properly validate ERC20 allowances before initiating token transfers. This oversight allows unauthorized transfers of tokens and exposes user balances to potential exploitation.

Vulnerability Details

No Allowance Validation

The function directly calls IERC20.transferFrom without checking if msg.sender has granted sufficient allowance to the contract. This opens the door for unauthorized token transfers.

** Access Control Issues**

Any user can call this function and transfer tokens they do not own, as there is no ownership validation for the tokens being transferred.

** Missing Security Practices**

The absence of allowance and ownership validation deviates from standard secure practices in token transfers, increasing the risk of misuse and token theft.

Impact

Unauthorized Token Transfers:
Malicious actors can exploit this function to transfer token balances they do not own.

Violation of ERC20 Standards:
The missing allowance check deviates from the standard practice of verifying approve before calling transferFrom.

Tools Used

Manual Code Review.

Reference to ERC20 specifications for correct approve and transferFrom logic.

Recommendations

Enforce Allowance Validation:
Validate msg.sender’s allowance before calling transferFrom:

if (IERC20(tokenInfo.erc20Address).allowance(msg.sender, address(this)) < amount) { revert TokenDivider__InsufficientAllowance(); }

Restrict Unauthorized Transfers:
Ensure only the token owner can initiate the transfer.

if (msg.sender != to) { revert TokenDivider__UnauthorizedTransfer(); }

The approve function in ERC20 tokens is essential to allow a spender (another address) to withdraw tokens on behalf of the owner. Without this, the transferFrom function cannot ensure that the token owner has explicitly granted permission for such actions.