Summary

The MetadataImage contract generates SVG images that include ERC20 token symbols without properly escaping special XML characters. This can lead to invalid SVG output or unexpected rendering issues when token symbols contain characters with special meaning in XML/SVG.

Vulnerability Details

In the tokenName and getTokenName functions, the ERC20 token symbol is directly inserted into the SVG without any character escaping:

If a token's symbol contains special XML characters such as '<', '>', '&', '"', or ''', it could break the SVG structure or cause rendering issues.

Impact

The generated SVG could be invalid or render incorrectly when displayed, potentially leading to missing or incorrect token symbol display in the NFT image, broken SVG structure causing the entire image to fail to render or unexpected visual artifacts or layout issues in the NFT image

Tools Used

• Manual code review

• VSCode

Recommendations

Implement an XML escaping function to handle special characters in token symbols. The getTokenName function should then be updated to use this escaping function when retrieving ERC20 token symbols. These will ensure proper escaping of special characters, preventing SVG rendering issues and maintaining valid XML output for all token symbols.