Refreshing the NFT metadata for non-existent tokens can create issues for marketplaces.
Vulnerability details
The SablierV2Lockup::setNFTDescriptor function emits the BatchMetadataUpdate event, allowing all marketplaces listening for this event to refresh the old metadata of all tokens to new metadata. Unfortunately, this function does not validate whether any tokens have been minted or not.
It hardcodes the value of the first token to 1 and the last token to nextStreamId - 1, but the initial value of nextStreamId is 1. So, if no streams have been created at the time of updating the NFT descriptor, the values of this event will be 1 and 0, which will create problems for marketplaces because there will be no NFTs with token IDs 1 and 0.
Impact
Refreshing the NFT metadata for non-existent tokens can create issues for marketplaces
Tools Used
Manual Review
Recommended Mitigation Steps
Ensure that metadata is only refreshed when at least one stream has been created.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.