The `SantasList::tokenURI` function returns the same URI for every token
Summary
The metadata for all tokens will be the same.
Vulnerability Details
The SantasList::tokenURI function is marked as pure and returns a constant value. This means the metadata for all tokens is the same, which might not be desirable for a unique NFT collection.
Impact
The SantasList::tokenURI function returns the same URI for every token, which means that all tokens will share the same metadata. This is not typical for NFTs, where each token usually has unique metadata to distinguish it from others.
The tokenId parameter is not used in the function. This is unconventional for tokenURI functions, as they typically use the tokenId to construct or retrieve a unique URI for each token.
Also, there is no validation to check whether the tokenId exists. In a typical ERC721 implementation, the tokenURI function would revert or return an error if the tokenId does not correspond to a minted token.
The function is marked as pure, which indicates that it does not read from or modify the contract's state. This is consistent with returning a constant value but does not align with the typical use case of retrieving token-specific metadata.
Tools Used
VS Code
Recommendations
To address these issues and align with the expected behavior of an ERC721 token, the tokenURI function should be modified to use the tokenId to generate or retrieve a unique URI for each token and include validation to ensure the tokenId is valid.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.