Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Infinite ERC20 Token Minting with `type(uint256).max`) Prevents Proper NFT Redemption

bryanconquer

Summary

The current implementation of the divideNft function in the smart contract allows for the minting of an infinite number of ERC20 tokens representing NFT fractions. This creates an issue where users can't buy all the fractions of the ERC20 tokens, as the minted supply is infinite. As a result, users are unable to reach the required token balance to claim the original NFT, undermining the fractionalization process.

Vulnerability Details

function divideNft(address nftAddress, uint256 tokenId, uint256 amount) onlyNftOwner(nftAddress, tokenId) onlyNftOwner(nftAddress ,tokenId) external {

if(nftAddress == address(0)) { revert TokenDivider__NftAddressIsZero(); }

if(amount == 0) { revert TokenDivider__AmountCantBeZero(); }

ERC20ToGenerateNftFraccion erc20Contract = new ERC20ToGenerateNftFraccion(

string(abi.encodePacked(ERC721(nftAddress).name(), "Fraccion")),

string(abi.encodePacked("F", ERC721(nftAddress).symbol())));

erc20Contract.mint(address(this), amount); <== @audit max amount of tokens

// rest of the code

}

The contract allows users to mint an infinite number of ERC20 tokens (using `type(uint256).max`), which creates an issue where users cannot buy enough fractions to redeem the original NFT.

With infinite tokens minted, users are unable to obtain the full set of fractions required to claim the NFT, which defeats the purpose of fractionalizing the asset.
Even if a user manages to buy some tokens, they cannot buy all the fractions because the total number of minted tokens exceeds the expected amount, preventing the proper claim process.

Impact

Minting Abuse: The ability to mint infinite tokens disrupts the fractionalized token model.

Claim Process Failure: Users can’t obtain enough tokens to claim the original NFT, breaking the intended functionality.
User Experience: The inability to redeem the original NFT after acquiring all fractions results in frustration and confusion for users.

Tools Used
manual review

Recommendations

Limit Minting Supply: Implement a maximum limit for the minted ERC20 tokens representing NFT fractions. This ensures the total minted amount stays within a reasonable range that aligns with the fractionalization logic.

```solidity

uint256 maxTokensPerNft = 100; // or any other reasonable number

require(amount <= maxTokensPerNft, "Cannot mint more than the maximum allowed");

```

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Lack of token access control chekcs

Any person can mint the ERC20 token generated in representation of the NFT

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.