High Deployment Cost if Accidentally Deployed to Ethereum
Summary
Because the tokenURI is so large at over 50,000 characters long, there is a risk of significant USD gas usage if accidentally deployed on Ethereum instead of Arbitrum as intended. The SantasList.sol contract inherits from TokenUri, so the bytecode from TokenUri.sol gets included in the deployment cost for SantasList.sol.
Vulnerability Details
Running Forge test --gas-report we see a deployment cost of 12,088,926 gas for SantasList.sol.
Impact
Deploying to Arbitrum currently costs: (0.1 GWEI * 12,088,926) = 1,208,893 GWEI = 0.00121 ETH = 2.4$.
Accidentally deploying to Ethereum would cost around: (40 GWEI * 12,088,926) = 483,557,040 GWEI = 0.48355 ETH = 967$
Tools Used
Manual Review
Gas on Arbitrum and Ethereum for deployment: https://www.cryptoneur.xyz/en/gas-fees-calculator
Recommendations
Store only the base URI on chain, and construct the full URI off-chain via IPFS external decentralized storage. This is more gas-efficient because only the hash of the content (less than a few hundred characters) is needed to find the content (tokenURI, over 50,000 characters) associated with the hash. So instead of having the entire raw token URI string as a constant, you can replace it with the IPFS hash. The tokenURI function can be modified to return the concat of (IPFS gateway URL + IPFS hash).
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.