Anyone have access to mint fractions of NFTs ERC20 deployed
Summary
When TokenDivider::divideNFT is called by NFT owner, it mints ERC20 tokens equivalent to the desired NFT division without proper access controls.
Vulnerability Details
In the contract at https://github.com/Cyfrin/2025-01-pieces-protocol/blob/4ef5e96fced27334f2a62e388a8a377f97a7f8cb/src/token/ERC20ToGenerateNftFraccion.sol#L15`, there is no access modifier restricting who can mint NFT fractions, creating a critical security vulnerability.
Impact
Although the protocol design includes a mapping for ERC20 tokens to NFT fractions, the lack of access control allows unauthorized parties to mint tokens, potentially undermining the system's integrity.
Recommendations
Implement access control through:
onlyOwnermodifierOne-time minting flag:
Add an Access Modifier like onlyOwnerOfNFT or it can't be minted again by setting boolean with the function in require statement
bool private minted;
Tools Used
Manual code review
Lead Judging Commences
Lack of token access control chekcs
Any person can mint the ERC20 token generated in representation of the NFT
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.