Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Valid

With no external mint function, `MondrianWallet::tokenURI` becomes useless, reverting every time someone calls it with any `tokenId`

Summary

The Mondrian Wallet contract is also an ERC721 token. However, there is no external mint function, blocking the account owner (or any other actor) to mint new NFTs. This way, MondrianWallet::tokenURI function is useless.

Vulnerability Details

Because there is no external mint function, no new token is going to be minted. This way, MondrianWallet::tokenURI will always revert due to the following lines:

if (ownerOf(tokenId) == address(0)) {
revert MondrainWallet__InvalidTokenId();
}
Proof of Code

Place the following code in MondrianWallet.test.js test file:

it("tokenURI does not work", async function () {
const walletOwnerAddress = await mondrianWallet.owner()
const owner = await ethers.getSigner(walletOwnerAddress)
const dest = await mondrianWallet.getAddress()
const value = 0
const ABI = ["function _mint(address to, uint256 amount)"];
const iface = new ethers.Interface(ABI);
const tokenId = 0
const functionData = iface.encodeFunctionData("_mint", [walletOwnerAddress, tokenId]);
// Generating and signing message
const message = ethers.keccak256(ethers.toUtf8Bytes("test"))
const sig = await owner.signMessage(message)
// Building PackedUserOperation
const userOp = [owner.address, 0, "0x", "0x", ethers.ZeroHash, 0, ethers.ZeroHash, "0x", sig]
await network.provider.request({
method: "hardhat_impersonateAccount",
params: [walletOwnerAddress],
})
await expect(mondrianWallet.execute(dest, value, functionData)).to.be.reverted
await expect(mondrianWallet.tokenURI(0)).to.be.reverted
})

Impact

MondrianWallet::tokenURI will always revert, being useless for any functionality built on top of it.

Tools Used

Manual review, Hardhat

Recommendations

Add a simple mint function so that new tokens can be minted and an address different from address(0) is assigned to token IDs:

function mint(address to, uint256 tokenId) external {
require(msg.sender == address(this), "Only account can mint tokens");
_mint(to, tokenId);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

The Wallet doesn't end up owning any nft

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.