ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect Function Selector for Base URI Results in Failure to Retrieve Metadata

bladesec

Summary

In the ERC721 standard, which is commonly used for NFTs, the correct function name for retrieving metadata is URI, not Uri. However, the NFT bridge contract mistakenly tries to call baseUri to get the metadata URI of an NFT collection. This mistake causes the function to fail every time.

Vulnerability Details

function _callBaseUri(

address collection

)

internal

view

returns (bool, string memory)

{

bool success;

uint256 returnSize;

uint256 returnValue;

bytes memory ret;

bytes[2] memory encodedSignatures = [abi.encodeWithSignature("_baseUri()"), abi.encodeWithSignature("baseUri()")];

for (uint256 i = 0; i < 2; i++) {

bytes memory encodedParams = encodedSignatures[i];

// staticcall to retrieve metadata uri

...

}

return (false, "");

}

The code snippet above shows the _callBaseUri function used when bridging NFTs. The function attempts to retrieve metadata by calling _baseUri and baseUri from the NFT collection contract.

However, this approach has two main issues:

The _baseUri function is typically an internal function. Internal functions cannot be accessed by external contracts, which means this call will fail.
Most NFT collections that support a base URI use the function name baseURI, not baseUri. This small difference in capitalization is crucial and causes the call to fail.

Because of these issues, the function will always fail to retrieve the base URI from any NFT collection.

Impact

The inability to retrieve the base URI prevents access to NFT metadata on the destination chain. This can disrupt the display or use of the NFT's metadata, such as its image, description, and other attributes.

Tools Used

Manual Review

Recommendations

To correctly retrieve the metadata from an NFT collection, the contract should call the baseURI function instead of baseUri.

Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-baseUri-selector-instead-of-baseURI

Likelyhood: Medium, no token using OZ version 2.X and 3.X will work. Impact: Low, Valid standard token won’t be mint with the URI but owner can use ERC721UriImpl function on the deployed token.

Appeal created

bladesec Submitter

12 months ago

n0kto Lead Judge

11 months ago

n0kto Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-baseUri-selector-instead-of-baseURI

Likelyhood: Medium, no token using OZ version 2.X and 3.X will work. Impact: Low, Valid standard token won’t be mint with the URI but owner can use ERC721UriImpl function on the deployed token.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.