Flow

Summary

The BatchMetadataUpdate event may emit incorrect arguments when the setNFTDescriptor function is called without any streams created or NFTs minted. Specifically, if nextStreamId is set to 1 (indicating no streams have been created), the event arguments may imply an update for token IDs from 1 to 0, which is inaccurate as there are no tokens to update.

Vulnerability Details

The issue arises in the following scenario:

Initial Condition: nextStreamId is set to 1, indicating that no streams or NFTs have been created.
No Mint Condition: Since no NFTs have been minted, nextStreamId remains at 1.
Event Emission: When setNFTDescriptor is called, the BatchMetadataUpdate event is emitted with _fromTokenId set to 1 and _toTokenId set to nextStreamId - 1, which evaluates to 0.
This event argument misalignment leads to a misleading log entry, indicating that metadata has been updated for token IDs ranging from 1 to 0, despite there being no tokens to update.

Impact

This discrepancy could cause issues for off-chain consumers and front-end interfaces relying on event logs to track token metadata updates. The incorrect arguments can lead to unintended behaviors, including potentially misleading event listeners and confusing developers or users interpreting the logs.

Tools Used

Manual Review

Recommendation

To prevent incorrect arguments in the BatchMetadataUpdate event, include a conditional check within setNFTDescriptor to verify that nextStreamId > 1 before emitting the event. If no NFTs have been minted (i.e., nextStreamId == 1), the event should not be emitted to avoid misleading logs and maintain consistency in event data. This will help ensure that only meaningful updates are recorded, improving both clarity and reliability in event logs.