Owner can set the base uri without informing users
Github
Summary
The erc721_bridgeable.cairo contract includes a function set_base_uri that allows setting the base URI for NFTs. The base URI is crucial as it references the images of tokens stored in decentralized storage, representing the core value of NFTs. Users typically pay to own these images, so the base URI should remain immutable to ensure users retain ownership of the images. However, the set_base_uri function permits the contract owner to modify this value, which could potentially alter the images owned by users.
Impact
The function is admin controlled so the likelihood is low but the impact is high. Allowing the base URI to be changed by the contract owner poses a risk of altering the images associated with the NFTs. This can undermine the trust and value of the NFTs, as users may lose ownership of the original images they paid for. Such changes could lead to a loss of user confidence and the perceived integrity of the NFT collection.
Recommendation
Evaluate whether the ability to update the URI is genuinely necessary for the collection. If deemed necessary, implement a transparent process to notify users well in advance before any changes to the URI are made. This ensures that users are aware and can take appropriate actions if needed. Additionally, consider implementing safeguards or governance mechanisms to prevent arbitrary changes and protect user interests.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.