ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Wrong baseURI invocation will always revert

SBSecurity

Summary

Wrong function selector will always return an empty baseURI().

Vulnerability Details

When NFTs are deposited on L1 via depositTokens(), their tokenURI will be retrieved in TokenUtil.erc721Metadata(). The logic is as follows:

Is baseURI populated in the collection:

→ Yes - baseURI will be returned.
→ No - tokenURI of each tokenId will be returned.

IERC721Metadata c = IERC721Metadata(collection);

// How the URI must be handled.

// if a base URI is already present, we ignore individual URI

// else, each token URI must be bridged and then the owner of the collection

// can decide what to do

(bool success, string memory _baseUri) = _callBaseUri(collection);

if (success) {

return (c.name(), c.symbol(), _baseUri, new string[](0));

}

else {

string[] memory URIs = new string[](tokenIds.length);

for (uint256 i = 0; i < tokenIds.length; i++) {

URIs[i] = c.tokenURI(tokenIds[i]);

}

return (c.name(), c.symbol(), "", URIs);

}

But _callBaseUri() is incorrectly implemented by passing in the wrong function selectors to retrieve the baseURI of a collection.

bytes[2] memory encodedSignatures = [abi.encodeWithSignature("_baseUri()"), abi.encodeWithSignature("baseUri()")];

This is the OZ implementation and _baseUri must be _baseURI, with capital letters.

function _baseURI() internal view virtual returns (string memory) {

return '';

}

However even if change the selectors to capital letters, there’s no guarantee that this code will retrieve the baseURI of the collection:

Because _baseURI() is internal and cannot be called.
The collection must explicitly define external/public baseURI() or override _baseURI() to be public.

In the specified EveraiDuo collection, this function is internal and cannot be called.

Note: In the contest chat it was stated that all NFT collections are in scope - BoredApeYachtClub this is one of the collections that has public baseURI() and will work with after the fix.

Impact

baseURI will never be retrieved, TokenUtil.erc721Metadata() will always return the result of tokenURI(), breaking the idea of the function.

Tools Used

Manual

Recommendations

Change the function selectors to _baseURI() and baseURI(), but note that if the collection does not expose an external/public function for baseURI, it cannot be retrieved separately and then tokenURI must be used.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-baseUri-selector-instead-of-baseURI

Likelyhood: Medium, no token using OZ version 2.X and 3.X will work. Impact: Low, Valid standard token won’t be mint with the URI but owner can use ERC721UriImpl function on the deployed token.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.