Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of TokenURI Owner-Restricted Functions in FlowNFTDescriptor Contract

0xspacepirate

Summary

The FlowNFTDescriptor contract, which generates the token URI for NFTs representing payment streams in Sablier Flow, lacks owner-restricted functions for modifying key properties like the NFT name and external URL.

Vulnerability Details

The tokenURI function provides static metadata, making attributes such as name, external_url, and description immutable after deployment. Future changes would require redeploying the contract, leading to inefficiencies.

Impact

  1. Lack of Flexibility: Inability to update metadata could lead to outdated information.

  2. User Experience: Users may encounter incorrect or misleading NFT details.

  3. Deployment Costs: Changes necessitate new contract deployments, increasing costs.

  4. Risk of Abandonment: An inflexible contract may be perceived as outdated or abandoned.

Tools Used

Manual Code Review

Recommendations

Implement onlyOwner Modifiers: Add functions to update the name and external_url.

function setName(string calldata newName) external onlyOwner {
require(bytes(newName).length > 0, "Name cannot be empty");
_name = newName;
}
function setExternalURL(string calldata newURL) external onlyOwner {
require(bytes(newURL).length > 0, "External URL cannot be empty");
_externalURL = newURL;
}

In addition, the updated variables should be used instead inside the tokenURI instead of having hardcoded name and external_url.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.