Upon token deposit if erc721Metadata is not supported the data is empty
Summary
TokenUtil::erc721Metadata might return empty data which might result in unexpected behaviour.
Vulnerability Details
In TokenUtil::erc721Metadata if the supportsMetadata is not supported the returned result is empty data (empty strings, and empty string array):
Whenever Bridge::depositTokens is called and the CollectionType is CollectionType.ERC721 then the TokenUtil::erc721Metadata is called and if the supportsMetadata is not supported the result is as described above.
As a result, the req data is empty strings and an empty string array and gets serialized and passed on as payload which could have unexpected outcomes.
Impact
Impact: Medium
Likelihood: Medium
Proof of Concept
User calls Bridge::depositTokens where the CollectionType of the collection is CollectionType.ERC721 and the ERC165Checker.supportsInterface does NOT support it causing the TokenUtil::erc721Metadata to return ("", "", "", new string[](0)).
Tools Used
Manual Review
Recommendations
In TokenUtil::erc721Metadata change the logic so it reverts instead of passing on empty data as of now:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.