SDLPool's `tokenUri` function doesn't respect ERC721
Summary
According to the standard, the tokenURI method must be reverted if a non-existent lockid is passed. This means that a any counterfeit lock can be passed off as genuine when the tokenUri function is called, because it doen't check if the lock actually exists. It's also a violation of the ERC721 spec
Vulnerability Details
The tokenURI returns the baseURI for any id passed in. Scammers can create a fake lock token and pass if off a genuine. The unsuspecting user who calls the tokenUri function with the fake lock's id, will be shown the genuine baseUri as a result.
This also breaks ERC721 specification, which says that the tokenURI function should throws if _tokenId is not a valid NFT.
Impact
The function will return the protocol's baseURI for a counterfeit lock which can be used to deceive users.
The function breaks ERC721 specification.
Tools Used
Manual code review
Recommendations
Consider introducing a check for valididty of the lock before returning the baseURI.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.