First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Non-Compliance with ERC721 and OpenSea metadata standards in Santas-List contract's tokenURI implementation

0xrektified

Summary

The SantasList contract's implementation of the tokenURI function fails to meet the ERC721 and OpenSea metadata standards for unique token identification.

Instead of providing distinct metadata for each Non-Fungible Token (NFT), it returns a static, uniform URI for all tokens.

This uniformity contradicts the fundamental principle of NFTs — each token being unique and identifiable.

Vulnerability Details

In the SantasList contract, the tokenURI function is designed to return a single, constant URI, irrespective of the token ID queried.

This design goes against the ERC721 standard's expectation that each token should have its own unique metadata, which is crucial for distinguishing one token from another.

OpenSea, a leading NFT marketplace, emphasizes this uniqueness in its metadata standards, expecting properties like name, description, image, and individual attributes for each token.

The current implementation of tokenURI in SantasList overlooks these standards, thereby failing to provide the necessary differentiation among tokens.

Impact

This issue is classified as Medium severity due to its potential to significantly undermine the functionality and marketability of the NFTs on platforms like OpenSea.

The absence of unique metadata can result in the NFTs not being properly recognized or displayed on these platforms, leading to a direct impact on the collection's attractiveness, user engagement, and overall market value.

Tools Used

Opensea guideline

Openzeppelin guideline

The analysis is based on manual code review and guidelines from Openzeppelin and OpenSea's metadata standards documentation.

Recommendations

To align with the ERC721 and OpenSea standards, the SantasList contract should be updated so that its tokenURI function generates or retrieves unique metadata for each token.

The metadata should be hosted on a stable platform, such as IPFS, or be accessible via an HTTPS URL.

The recommended implementation involves dynamically constructing each token's URI based on its ID and metadata location.

First add an import for the strings library

import "@openzeppelin/contracts/utils/Strings.sol";

Then add the following functionality.

function tokenURI(uint256 tokenId) public view override returns (string memory) {

require(_ownerOf(tokenId) != address(0), "ERC721Metadata: URI query for nonexistent token");

string memory baseURI = _baseURI();

return bytes(baseURI).length > 0 ? string(abi.encodePacked(baseURI, Strings.toString(tokenId))) : "";

}

function _baseURI() internal view virtual override returns (string memory) {

return "https://api.example.com/token/";

}

This approach ensures each NFT is distinct and identifiable, enhancing its value and compliance with industry standards.

Your base URL could be provided in the constructor, or be defined as an immutable value.

The base URL for metadata should ideally be set post-minting to preserve the surprise element of NFT reveals, aligning with best practices in NFT launches.

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.