Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Off Chain Protocol ERC20 Fractions of NFTs transfer lead to Denial of Service to Claim NFT

singhyash

Summary

The TokenDivider contract uses a balances mapping to track users' ownership of fractionalized ERC20 tokens. However, this mapping becomes outdated if users transfer tokens off-protocol using the ERC20 transfer function. As a result, even if a user owns all fractional tokens of an NFT through off-protocol transactions, they will not be able to claim the NFT due to a mismatch between their actual token balance and the protocol's internal balances mapping.

Vulnerability Details

In the TokenDivider::claimNFTfunction verifies that a user has sufficient fractional tokens to claim the corresponding NFT. This verification relies on the balances mapping, as shown in the following code snippet:

if (balances[msg.sender][tokenInfo.erc20Address] < amount) {

revert TokenDivider__InsufficientBalance();

}

at Github Link.The balances mapping is updated only through protocol-specific functions and does not account for off-protocol transfers of fractional tokens. If a user transfers tokens using the ERC20 transfer function or acquires all fractional tokens off-protocol, the balances mapping will not reflect these changes. Consequently, users who rightfully own all fractional tokens may be unable to claim the NFT due to the outdated balance check.

Impact

Inability to Claim NFTs : Denial of Service(DOS)
- Users who transfer fractional tokens off-protocol or acquire all fractions off-protocol will not be able to claim the NFT, as the balances mapping does not reflect their actual ownership.
Protocol Limitations
- The reliance on an internal balances mapping instead of real-time token ownership introduces a design limitation, making the protocol less flexible and prone to errors.

Recommendations

On-Chain Verification of Token Ownership
- Use the ERC20 balanceOf function to directly verify a user's token ownership. This ensures the check is accurate and reflects the current state of the blockchain. Example implementation:
  if (IERC20(tokenInfo.erc20Address).balanceOf(msg.sender) < amount) {
revert TokenDivider__InsufficientBalance();}
- **Alert** : If user balance will be checked through ERC20 balanceOf, users are not to be allowed to mint NFT Fractions.
Educate Users

Clearly communicate the limitations of the current system to users, warning them about the consequences of transferring fractional tokens off-protocol. Include documentation on best practices to avoid potential issues.

Tools Used

Manual code review

Updates

Lead Judging Commences

fishy Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Appeal created

singhyash Submitter

7 months ago

singhyash Submitter

7 months ago

fishy Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Transfer ERC20ToGenerateNftFraccion separately to the contract

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.