Submission Details
Severity:
Soulmate.tokenURI does not comply with ERC721
Summary
According to the standard, the tokenURI method must be reverted if a non-existent tokenId is passed. This a violation of the EIP721 spec.
Vulnerability Details
The tokenURI method violates the EIP721 standard by not checking the existence of the passed tokenId (see https://eips.ethereum.org/EIPS/eip-721#specification).
Also the method is empty and useless.
/// @dev will be added after audit.
/// @dev Since it is only used by wallets, it won't create any edge case.
function tokenURI(uint256) public pure override returns (string memory) {
// To do
return "";
}
Impact
Limited impact, like poor user experience.
Tools Used
Manual code review.
Recommendations
Add a proper implementation for the function or check for token existence at least. Could use the ERC721URIStorage.tokenURI() implementation.
/// @dev will be added after audit.
/// @dev Since it is only used by wallets, it won't create any edge case.
function tokenURI(uint256 tokenId) public pure override returns (string memory) {
+++ _requireOwned(tokenId);
// To do
return "";
}
Rewards breakdown
nSLOC
233This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.