Missing `streamId` Validation in `tokenURI` Function
Summary
The tokenURI function in the lacks validation to check if the provided streamId corresponds to a valid, existing NFT. This omission may result in the generation of metadata URIs for invalid or non-existent tokens, leading to potential confusion and usability issues.
Vulnerability Details
According to ERC-721 standards, the tokenURI function should include a check to ensure the provided sreamId represents a valid NFT. Without this validation, the function may generate a URI for any arbitrary streamId, even if the NFT with that ID does not exist. This can lead to scenarios where the function returns a URI for streamIds that have not been minted or assigned to a user.
Calling tokenURI on a non-existent streamId should ideally revert, preventing the incorrect impression that a valid NFT exists at the requested ID.
Impact
The absence of streamId validation may result in:
Users may unintentionally receive metadata for non-existent tokens, leading to confusion or incorrect assumptions about the existence of specific NFTs.
Without validation, the contract may not fully comply with the ERC-721 standard, potentially affecting interoperability with platforms that expect full standard compliance.
Tools Used
Manual Review
Recommendation
To ensure compliance and prevent unintended metadata generation implement validation step in the tokenURI function to check if the streamId exists and is associated with an NFT before generating a URI. If the stramId does not exist, the function should revert, ensuring only valid tokens can generate metadata. This aligns with ERC-721 standards and reduces potential user confusion.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.