Kitty NFT uses non-standard metadata structure, making it difficult for marketplaces to retrieve information about the kitty
Summary
The structure of the NFT metadata includes properties/fields that does not follow the recommended ERC-721 standard, most marketplaces (e.g. OpenSea) follow the standard to pull data of the NFT to show it in their application.
A user interested in selling their NFT would've problems in doing so because marketplaces will be unable to pull all the data of the NFT because of the non-standard properties included in the token URI.
Vulnerability Details
The KittyConnect::tokenURI returns the following metadata structure:
Properties like breed, dob, owner and shopPartner are not part of the recommended metadata structure, marketplaces would not know how the fetch this data to properly indexed the token in their application.
Tools Used
Manual review
Recommendations
I recommend following OpenSea recommendations on how to create a rich metadata structure for the kitty for easily integration with marketplaces. See recommendations.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.