Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect ERC20 Token Naming Convention in NFT Fractionalization

bryanconquer

Summary

The ERC20 token created for NFT fractionalization incorrectly applies a hardcoded naming convention by appending "Fraccion" to the NFT’s name and prefixing "F" to its symbol. This approach:

Restricts flexibility, preventing users from defining custom names.
May cause confusion if the ERC20 name doesn’t match the NFT’s name in a user-expected way.
Breaks standard naming conventions, as ERC20 token names should ideally be user-defined or follow a structured pattern.

Vulnerability Details
The function hardcodes `"Fraccion"` as a suffix and `"F"` as a prefix, preventing user control over token naming.

function divideNft(address nftAddress, uint256 tokenId, uint256 amount) onlyNftOwner(nftAddress, tokenId) onlyNftOwner(nftAddress ,tokenId) external {

if(nftAddress == address(0)) { revert TokenDivider__NftAddressIsZero(); }

if(amount == 0) { revert TokenDivider__AmountCantBeZero(); }

ERC20ToGenerateNftFraccion erc20Contract = new ERC20ToGenerateNftFraccion(

string(abi.encodePacked(ERC721(nftAddress).name(), "Fraccion")), <== @audit name

string(abi.encodePacked("F", ERC721(nftAddress).symbol())));<== @audit symbol

// rest of the code

}

Impact

Functionality Impact: Medium – Naming inconsistency can lead to confusion and lack of branding control.
Security Impact: None – No direct security vulnerabilities.
Usability Impact: High – Users may not understand why names are arbitrarily altered.

Tools Used

manual review

Recommendations
Reuse NFT Name & Symbol Directly

ERC20ToGenerateNftFraccion erc20Contract = new ERC20ToGenerateNftFraccion(

ERC721(nftAddress).name(),

ERC721(nftAddress).symbol()

);

Allow User-Defined Suffix

function generateERC20FromNFT(address nftAddress, string calldata customSuffix) external {

string memory tokenName = string(abi.encodePacked(ERC721(nftAddress).name(), customSuffix));

string memory tokenSymbol = string(abi.encodePacked(ERC721(nftAddress).symbol(), customSuffix));

ERC20ToGenerateNftFraccion erc20Contract = new ERC20ToGenerateNftFraccion(tokenName, tokenSymbol);

}

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.