First Flight #7: Horse Store

First Flight #7

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

```HorseStore.sol::TokenURI()``` and ```HorseStore.huff::TokenURI()``` return an empty string

kiteweb3

Summary

The HorseStore.sol::TokenURI() and HorseStore.huff::TokenURI() functions return an empty string. So there aren't present the metadata (including the image) of the NFTs.

Vulnerability Details

In HorseStore.sol, there is no explicit implementation of the tokenURI() function. This means that the function is inherited from the ERC721 standard without being overridden.

In HorseStore.huff, the tokenURI() function is defined as follows:

#define macro TOKEN_URI() = takes (0) returns (0) {

0x20 0x00 mstore

0x00 0x20 mstore

0x40 0x00 return

}

This macro simply stores 0x20 and 0x00 in memory and then returns the contents of memory starting at 0x00 for 0x20 bytes. This effectively returns an empty string because it does not actually load any meaningful data into memory before returning it.

Impact

//The tokenURI() function returns an empty string.

function testTokenURI() public {

uint256 horseId = horseStore.totalSupply();

vm.prank(user);

horseStore.mintHorse();

string memory tokenURI = horseStore.tokenURI(horseId);

console2.log("tokenURI: %s", tokenURI);

}

Running 1 test for test/HorseStoreSolidity.t.sol:HorseStoreSolidity

[PASS] testTokenURI() (gas: 95668)

Logs:

tokenURI:

Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 15.73ms

Running 1 test for test/HorseStoreHuff.t.sol:HorseStoreHuff

[PASS] testTokenURI() (gas: 66275)

Logs:

tokenURI:

Tools Used

Manual review

Recommendations

To fix this issue, it is necessary to implement the tokenURI() function in both HorseStore.sol and HorseStore.huff to return a valid URI for each NFT. This involves constructing a string that points to a resource with metadata about the token, such as a JSON file hosted on IPFS.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

460

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.