Flow

Summary

The Flow::tokenURI function consistently returns the same hardcoded URI, regardless of the streamId passed to it. According to the documentation, the FlowNFTDescriptor, which should provide a unique URI describing each specific stream NFT, does not function as intended. Instead, it outputs an identical URI for all stream IDs.

Vulnerability Details

The Flow::tokenURI function is designed to retrieve the metadata associated with a specific NFT tied to a streaming mechanism within the Flow Protocol. Ideally, the URI should vary based on the streamId, allowing users and applications to fetch distinct metadata for each NFT representing a unique stream.

However, upon inspection, it has been observed that:

• The function does not utilize the streamId in any conditional logic to differentiate the URIs.

• Instead, it returns a hardcoded URI, making all NFTs indistinguishable from one another in terms of metadata representation.

This issue raises several concerns:

1. Loss of Uniqueness: Each NFT tied to a stream should provide unique characteristics, but the hardcoded URI fails to reflect this, resulting in a loss of the intrinsic value associated with NFT uniqueness.

2. User Confusion: Users and applications expecting to interact with different stream NFTs may be misled, as they will receive the same metadata regardless of the NFT queried.

Impact

All users get the same NFT regardless of the stream Id.

Tools Used

Manual Review

Recommendations

Implement Stream-Specific Logic: Modify the Flow::tokenURI function to correctly utilize the streamId parameter to generate unique URIs for each NFT based on its associated stream. This could involve updating the FlowNFTDescriptor to accept and process the streamId.