First Flight #15: Mondrian Wallet

Summary

The URIs point only on the images instead of a JSON which is not compliant with ERC-721 Metadata Standards.

Vulnerability Details

All the URIs provided in MondrianWallet.sol point to an image instead of a JSON file.

Each can be checked with a browser access as follows:

https://arweave.net/jMRC4pksxwYIgi6vIBsMKXh3Sq0dfFFghSEqrchd_nQ

https://arweave.net/8NI8_fZSi2JyiqSTkIBDVWRGmHCwqHT0qn4QwF9hnPU

https://arweave.net/AVwp_mWsxZO7yZ6Sf3nrsoJhVnJppN02-cbXbFpdOME

https://arweave.net/n17SzjtRkcbHWzcPnm0UU6w1Af5N1p0LAcRUMNP-LiM

Impact

Non-Compliance with ERC-721 Metadata Standards:

• The ERC-721 standard includes an optional metadata extension (ERC-721 Metadata JSON Schema) which is widely adopted and expected in most use cases. This extension specifies that the URI should return a JSON object. Your contract only links directly to images, it is not utilizing this metadata extension fully.

• Marketplaces, wallets, and other NFT platforms usually rely on this JSON metadata to display information about the NFT to users. Without the JSON, the functionality and integration capabilities of your NFTs can be limited.

Tools Used

Manual review

Recommendations

To create a JSON file for an NFT using ArDrive (part of the Arweave ecosystem), you'll need to go through several steps to ensure the JSON meets the ERC-721 metadata standards and is hosted permanently on the Arweave network. Here’s a step-by-step guide:

1. Prepare the JSON Content
   Before uploading anything to ArDrive, you need to prepare the JSON content that will represent your NFT's metadata. Here is a basic structure of what this JSON might include:

Make sure to replace "https://arweave.net/ExampleImageHash" with the actual URL of the image for your NFT that is already uploaded to Arweave.

2. Upload the JSON File to Arweave using ArDrive

3. Use the JSON File URL in Your Smart Contract