Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Access Control in claimNft Function

rare__one

Summary

The claimNft function in TokenDivider.sol lacks proper access control mechanisms, allowing any external address to claim NFTs without restrictions.

Vulnerability Details

The claimNft function is defined as an external function, which means it can be called by any external address. There are no checks on the caller's identity or permissions before executing the function logic.

Impact

Proof of Concept:

An attacker with malicious intent could call this function with any NFT address, potentially claiming NFTs that belong to other users or the contract itself.

// An attacker calls the function with a known NFT address
claimNft(0x1234567890123456789012345678901234567890);

Tools Used

manual review

Recommendations

Implement proper access control mechanisms to ensure only authorized addresses can claim NFTs. This could include:

Checking if the caller is the owner of the NFT

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.