NFTBridge
60,000 USDC
View results
Submission Details
Severity: low
Valid

wrong signature is used in `_callBaseUri` leading to get null base uri

Summary

Wrong signature is used in _callBaseUri leading to get null base uri.

Vulnerability Details

TokenUtil.sol::_callBaseUri

bytes[2] memory encodedSignatures = [abi.encodeWithSignature("_baseUri()"), abi.encodeWithSignature("baseUri()")];

For ERC721, baseURI and _baseURI are widely used functions to get base URI.
For example, openzeppelin's ERC721:

function _baseURI() internal view virtual returns (string memory) {
return "";
}

The signature of baseURI and baseUri is different. And the siganature of _baseURI and _baseUri is different. The wrong signature is used here.

POC

remix:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract Signature {
function getSignature_1() public pure returns (bytes memory) {
return abi.encodeWithSignature("baseUri()");
}
function getSignature_2() public pure returns (bytes memory) {
return abi.encodeWithSignature("baseURI()");
}
function getSignature_3() public pure returns (bytes memory) {
return abi.encodeWithSignature("_baseUri()");
}
function getSignature_4() public pure returns (bytes memory) {
return abi.encodeWithSignature("_baseURI()");
}
}

Output:

getSignature_1 → 0:bytes: 0x9abc8320

getSignature_2 → 0:bytes: 0x6c0360eb

getSignature_3 → 0:bytes: 0x3e63eb2a

getSignature_4 → 0:bytes: 0x743976a0

Impact

Wrong signature is used in _callBaseUri leading to get null base uri.

Tools Used

manual and remix

Recommendations

- bytes[2] memory encodedSignatures = [abi.encodeWithSignature("_baseUri()"), abi.encodeWithSignature("baseUri()")];
+ bytes[2] memory encodedSignatures = [abi.encodeWithSignature("_baseURI()"), abi.encodeWithSignature("baseURI()")];
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-baseUri-selector-instead-of-baseURI

Likelyhood: Medium, no token using OZ version 2.X and 3.X will work. Impact: Low, Valid standard token won’t be mint with the URI but owner can use ERC721UriImpl function on the deployed token.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.