60,000 USDC
Submission Details
Severity:
ERC721Bridgable doesn't support minting tokens with URIs
Summary
No functionality in ERC721Bridgable to store tokenURIs and mint from bridge with token URI
Vulnerability Details
As mentioned in the readme ERC721 bridgable contracts should support having a string stored for each token.
The metadata (Token URI most importantly) for a token can be implemented in diverse manners. Using a base URI concatenating the token id, or having a string stored for each token. Even if the base URI is often use, we still see some URIs being stored. We can see here the first choice to make when a token is bridged. Is the URI required to be explicit bridged for each token, or only bridging the base URI is sufficient. This is then tied to what is the design choice made by the developer / collection owner. ArkProject Bridge supports both.
This is implemented in erc_721_brigeable contract using mint_from_bridge_uri. But not implemented in ERC721Bridgable contract. The uris from request are never being used in withdrawTokens in L1 bridge contract
Impact
Missing feature of having a URI string stored for each token in ERC721Bridgable
Tools Used
manual review
Recommendations
Implement mintFromBridgeUri in ERC721Bridgable
Prize pool breakdown
Total prize
60,000 USDC
nSLOC
2,30126 USDC / LOC
50,000 USDC
5,500 USDC
4,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.