First Flight #15: Mondrian Wallet

First Flight #15

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

With no external mint function, `MondrianWallet::tokenURI` becomes useless, reverting every time someone calls it with any `tokenId`

ECunha

Summary

The Mondrian Wallet contract is also an ERC721 token. However, there is no external mint function, blocking the account owner (or any other actor) to mint new NFTs. This way, MondrianWallet::tokenURI function is useless.

Vulnerability Details

Because there is no external mint function, no new token is going to be minted. This way, MondrianWallet::tokenURI will always revert due to the following lines:

if (ownerOf(tokenId) == address(0)) {

revert MondrainWallet__InvalidTokenId();

}

Proof of Code

Place the following code in MondrianWallet.test.js test file:

it("tokenURI does not work", async function () {

const walletOwnerAddress = await mondrianWallet.owner()

const owner = await ethers.getSigner(walletOwnerAddress)

const dest = await mondrianWallet.getAddress()

const value = 0

const ABI = ["function _mint(address to, uint256 amount)"];

const iface = new ethers.Interface(ABI);

const tokenId = 0

const functionData = iface.encodeFunctionData("_mint", [walletOwnerAddress, tokenId]);

// Generating and signing message

const message = ethers.keccak256(ethers.toUtf8Bytes("test"))

const sig = await owner.signMessage(message)

// Building PackedUserOperation

const userOp = [owner.address, 0, "0x", "0x", ethers.ZeroHash, 0, ethers.ZeroHash, "0x", sig]

await network.provider.request({

method: "hardhat_impersonateAccount",

params: [walletOwnerAddress],

})

await expect(mondrianWallet.execute(dest, value, functionData)).to.be.reverted

await expect(mondrianWallet.tokenURI(0)).to.be.reverted

})

Impact

MondrianWallet::tokenURI will always revert, being useless for any functionality built on top of it.

Tools Used

Manual review, Hardhat

Recommendations

Add a simple mint function so that new tokens can be minted and an address different from address(0) is assigned to token IDs:

function mint(address to, uint256 tokenId) external {

require(msg.sender == address(this), "Only account can mint tokens");

_mint(to, tokenId);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

The Wallet doesn't end up owning any nft

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.