baseURI and uris are not populated for L2 → L1 bridging
Summary
In case baseURI exists for the L2 collection it won't be duplicated in L1 and will be left empty.
Vulnerability Details
Due to a missing setter in Deployer::deployERC721Bridgeable _baseURI and URIs will not be initialized and will remain with the default value of “”. Having a URI is important since IPFS is built from it and is used to load the image of the NFT.
In bridge::deposit_tokens we can see that all the properties are being added to the request payload:
But in Bridge::withdrawTokens, all except base_uri and uris are being used:
Impact
Bridging NFT from L2 to L1 will deploy token with different properties.
Tools Used
Manual Review
Recommendations
In ERC721Bridgeable, introduce a new variable baseURI and set it in the constructor and override 721::_baseURI() to return it.
Lead Judging Commences
invalid-NFT-minted-without-baseURI-URIs-or-bridge-with-no-metadata
URI is not lost on the origin chain and it can be modified with `ERC721UriImpl`. As explained in the TODO below, that’s a design choice and it will be implemented as a future feature. https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/Bridge.sol#L206 `ERC721Bridgable` is out of scope.
Appeal created
invalid-NFT-minted-without-baseURI-URIs-or-bridge-with-no-metadata
URI is not lost on the origin chain and it can be modified with `ERC721UriImpl`. As explained in the TODO below, that’s a design choice and it will be implemented as a future feature. https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/Bridge.sol#L206 `ERC721Bridgable` is out of scope.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.