Summary

The TokenDivider contract contains a vulnerability in its handling of user balances. Specifically, it maintains a custom balances mapping to track ERC20 token holdings, but this mapping may become inconsistent with the actual token balances stored in the ERC20 contract. This inconsistency can result in incorrect balance tracking, leading to potential financial loss or incorrect functionality.

Vulnerability Details

The TokenDivider contract uses a custom balances mapping to track user holdings of ERC20 tokens that represent fractional ownership of NFTs. However, this mapping is not inherently synchronized with the balanceOf function of the ERC20 token contract. Actions such as direct transfers between users, transfers via marketplaces, or external interactions with the ERC20 contract could modify balances without updating the balances mapping. This could lead to scenarios where the contract believes a user holds tokens they no longer own or fails to recognize tokens a user has acquired externally.

Impact

The inconsistency between the custom balances mapping and the ERC20 token contract can cause several issues:
1. Users may be prevented from performing actions like reclaiming NFTs if the contract believes they do not hold the required number of tokens, even if they actually do.
2. Users may retain access to functions that require token holdings even after transferring their tokens externally, allowing unauthorized actions.
3. Discrepancies in token tracking could lead to a loss of trust in the contract and its functionality.

Tools Used

Manual Review

Recommendations

The balances mapping should be removed, and the contract should rely directly on the balanceOf function of the ERC20 token contract to track user holdings. This approach ensures consistency with the actual token balances and eliminates the risk of discrepancies caused by external token transfers. Additionally, this change simplifies the contract code, reducing potential attack vectors and improving maintainability.