Lack of Contract Existence Check in _callBaseUri Function
Summary
This report evaluates the _callBaseUri function, which is used to retrieve the base URI from a given token collection contract. The function has been enhanced to include a check to determine if the address provided is indeed a contract. This enhancement prevents unnecessary calls to non-contract addresses, improving the robustness of the function.
Vulnerability Details
The original _callBaseUri function lacked a mechanism to verify if the provided address was a contract. Without this check, the function could attempt to call non-contract addresses, which would result in failed calls or errors. The absence of this check could also potentially lead to unnecessary gas consumption and unexpected behavior if the address is not a contract.
Impact
Low level calls (call, delegatecall and staticcall) return success if the called contract doesn’t exist (not deployed or destructed)
As written in the solidity documentation
The low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as part of the design of the EVM. Account existence must be checked prior to calling if needed.
Tools Used
Recommendations
Check for contract existence on low-level calls, so that failures are not missed.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.