First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

The ```SantaList``` contract can't be deployed on MainNet.

kiteweb3

Summary

The SantaList contract can't be deployed on MainNet. The contract code size is 51609 bytes and exceeds 24576 bytes (a limit introduced in Spurious Dragon). This contract may not be deployable on Mainnet.

Vulnerability Details

//TokenUri.sol

contract TokenUri {

@> string public constant TOKEN_URI = "data:application/json;base64,ewogICAgIm5hbWUiOiAiU2FudGEgT ... ;

}

Impact

The SantaList contract inherit the TokenUri contract that has a huge code size because the json file (that contains the NFT metadata) is transformed before in base64 and then stored in the tokenURI string. This lead the contract to exceed the code size limit.

For testing it: import the repo in Github and compile the SantaList contract.

Remix returns this warnings:

"Warning: Contract code size is 51609 bytes and exceeds 24576 bytes (a limit introduced in Spurious Dragon). This contract may not be deployable on Mainnet. Consider enabling the optimizer (with a low "runs" value!), turning off revert strings, or using libraries.
--> Audit/SantaList/src/TokenUri.sol:9:1:
|
9 | contract TokenUri {
| ^ (Relevant source part starts here and spans across multiple lines)."

Tools Used

Remix Tool

Recommendations

Consider to passing the .svg image file in the constructor and encoding in the base64 in the tokenURI() function directly using the OpenZeppelin library.

+ import {Base64} from "@openzeppelin/contracts/utils/Base64.sol";

- constructor() ERC721("Merry Christmas 2023", "SANTA") {

+ constructor(string memory _imageURI) ERC721("Merry Christmas 2023", "SANTA") {

+ imageURI = _imageURI;

function tokenURI(uint256 /* tokenId */ ) public pure override returns (string memory) {

- return TOKEN_URI;

+ string memory imageURI;

+ return

+ string(

+ abi.encodePacked(

+ _baseURI(),

+ Base64.encode(

+ bytes(

+ abi.encodePacked(

+ '{"name":"',

+ name(),

+ '", "description":"An NFT for all those who are nice!", ',

+ imageURI,

+ '"}'

+ )

+ );

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.