Lack of Validation for Existence of Stream ID"
Summary
The current implementation of the tokenURI function lacks validation to ensure that the provided stream ID corresponds to an existing stream.
Vulnerability Details
This oversight could lead to potential issues. By invoking the tokenURI method for a maliciously provided streamid, the returned data may deceive potential users, as the method will return data for a non-existent streamid that appears to be a genuine one
Users may receive data for a non-existent stream ID, leading to confusion and a poor user experience.
Violation of the ERC721-Metadata part standard
Impact
the function lacks any requirements stating that the provided stream id must be valid. We can also see that in the standard implementation by OpenZeppelin, this check is present:
To demonstrate the vulnerability, an attacker could:
Invoke the tokenURI function of your contract with a non-existent stream ID as input.
Observe that the tokenURI function does not validate the existence of the stream ID and returns data as if the stream ID were valid.
Tools Used
Manual Review
Recommendations
Implement a validation step in the tokenURI function to ensure that the provided stream ID corresponds to an existing stream.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.