Sablier

Summary

The tokenURI function in the SablierV2NFTDescriptor contract constructs the JSON metadata for the NFT by concatenating various components. If any of these components are empty or invalid, it could result in an incomplete or empty JSON metadata string. This issue is not currently handled in the function, which can lead to potential problems.

Proof of Concept

Scenarios Leading to Empty String:

1. Calls to functions like sablier.getAsset, sablier.getDepositedAmount, etc., might fail or return unexpected results, leading to missing data fields.

2. If safeAssetSymbol fails and returns an empty string, the assetSymbol could be empty.

3. If NFTSVG.generateSVG fails to generate a valid SVG string, vars.svg could be empty.

4. If the Base64.encode function fails or returns an empty string, the image field in the JSON metadata could be empty.

5. If the low-level call to ISablierV2Lockup.isTransferable fails and the fallback logic does not handle it properly, it could lead to an empty or incorrect isTransferable value.

6. If any of the components used to build the JSON metadata (e.g., generateAttributes, generateDescription, generateName) return empty strings, it could lead to an incomplete or empty JSON metadata string.

Impact

1. The NFT metadata might be incomplete, leading to missing information when displayed on platforms like OpenSea.

2. An empty or malformed JSON string could cause errors in applications that rely on this metadata.

Tools Used

Manual Review

Recommendations

1. Implement validation checks for each component used to build the JSON metadata. Ensure that none of the components are empty before concatenating them.

2. Add error handling mechanisms to catch and handle cases where any of the components are empty or invalid.

3. Provide fallback values for critical fields to ensure that the JSON metadata is always complete and valid.

4. Consider adding logging for debugging purposes to track any instances where components are empty or invalid.