When bridging from L2 to L1 and NFT isn't escrowed, tokenURI data is not handled in L1
Summary
When bridging from L2 to L1 and NFT isn't escrowed, tokenURI data is not handled in L1. The tokenURI data transferred from L2 to L1 is not utilized.
Vulnerability Details
Bridge::withdrawTokens
When bridging from L2 to L1, if wasEscrowed is false, mintFromBridge is called. The implemention of mintFromBridge function is as follows:
ERC721Bridgeable::mintFromBridge
From code above, we can conclude that tokenURI data is not handled in L1. And comment suggests "check what to do with URIs. If the URI storage is supported or not for ERC721. If supported, we may need to mint with an URI". So tokenURI data should be handled.
Impact
The tokenURI data transferred from L2 to L1 is not utilized.
Tools Used
manual
Recommendations
Handle tokenURI data like function bridge::withdraw_auto_from_l1 by calling mint_from_bridge_uri.
Lead Judging Commences
invalid-NFT-minted-without-baseURI-URIs-or-bridge-with-no-metadata
URI is not lost on the origin chain and it can be modified with `ERC721UriImpl`. As explained in the TODO below, that’s a design choice and it will be implemented as a future feature. https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/Bridge.sol#L206 `ERC721Bridgable` is out of scope.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.