Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

`FlowNFTDescriptor.tokenURI()` Lacks Token Existence Validation

sparrow

Summary

The FlowNFTDescriptor.tokenURI() function does not validate token existence before returning metadata, violating the ERC721 Metadata specification. This allows metadata queries for non-existent tokens, potentially enabling misleading representations of fake streams.

Vulnerability Details

The current implementation in FlowNFTDescriptor.sol returns metadata without any validation:

function tokenURI(

IERC721Metadata, /* sablierFlow */

uint256 /* streamId */

)

external

pure

override

returns (string memory uri)

{

// Returns static data without validation

string memory svg = '...';

string memory json = string.concat(

'"description": "This NFT represents a payment stream in Sablier Flow",'

// ... rest of metadata

);

return string.concat("data:application/json;base64,", Base64.encode(bytes(json)));

}

This violates the ERC721 Metadata specification which requires the function to revert for non-existent tokens:

/// @dev Throws if `_tokenId` is not a valid NFT.

function tokenURI(uint256 _tokenId) external view returns (string memory);

Impact

Protocol Security:

Enables querying metadata for non-existent streams
Allows fake Sablier Flow contracts to generate legitimate-looking metadata
Could be exploited in phishing attacks by presenting fake streams as legitimate

Standard Violation:

Direct violation of ERC721 Metadata specification
May cause integration issues with tools expecting standard compliance

User Experience:

Users cannot distinguish between real and non-existent stream metadata
Potential for confusion and misrepresentation of stream status

Tools Used

Manual code review

Recommendations

Add token existence validation

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.