ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Ineffective base URI retrieval in `TokenUtil::_callBaseUri()`

gajiknownnothing

Summary

Calls to the non-public functions _baseUri() and baseUri() will fail, resulting in the TokenUtil::_callBaseUri() function always returning (false, "").

Vulnerability Details

The TokenUtil::_callBaseUri() function retrieves the base URI of an NFT by attempting to call the _baseUri() and baseUri() functions. However, this approach is ineffective for Everai, where:

  1. The EveraiDuo::_baseUri() function is not publicly accessible.

  2. The baseUri() function does not exist in the Everai contract.

Moreover, these functions are not part of the EIP-721 specification. As a result, when TokenUtil::_callBaseUri() attempts to retrieve the base URI by calling these functions, it always returns (false, ""). This results in ineffective function execution and unnecessary gas consumption.

Impact

The _callBaseUri function call retruns false and the base URI cannot be fetched.

File: TokenUtil.sol
90: // if a base URI is already present, we ignore individual URI
91: // else, each token URI must be bridged and then the owner of the collection
92: // can decide what to do
93: (bool success, string memory _baseUri) = _callBaseUri(collection);
94: if (success) {
95: return (c.name(), c.symbol(), _baseUri, new string[](0));
96: }

Tools Used

vscode

Recommendations

Get NFT token URI by the nft::tokenURI() function and remove the uneccessary _callBaseUri() function calls.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-baseUri-selector-instead-of-baseURI

Likelyhood: Medium, no token using OZ version 2.X and 3.X will work. Impact: Low, Valid standard token won’t be mint with the URI but owner can use ERC721UriImpl function on the deployed token.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.