Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of MetadataUpdate Emission in NFT Stream Deposits

0xg0p1

Summary

Metadata is not updating when a deposit is made.

Vulnerability Details

According to EIP-4906, when there is an update in NFT metadata, the MetadataUpdate event should be emitted. The createAndDeposit function is responsible for creating a stream and depositing a certain amount into it. However, while the updateMetadata function modifier is in place to emit the MetadataUpdate event, the createAndDeposit function does not emit this event even when the stream's balance is changed.

Having a standardized MetadataUpdate event is crucial as it allows third-party platforms to timely update the metadata of various NFTs. Without this event being emitted, third-party platforms are unable to update the NFT metadata accordingly.

function createAndDeposit(
address sender,
address recipient,
UD21x18 ratePerSecond,
IERC20 token,
bool transferable,
uint128 amount
)
external
override
noDelegateCall
returns (uint256 streamId)
{
// Checks, Effects, and Interactions: create the stream.
streamId = _create(sender, recipient, ratePerSecond, token, transferable);
// Checks, Effects, and Interactions: deposit into the stream.
_deposit(streamId, amount);
}

Impact

Other third-party platforms cannot update the metadata of the NFT if no event is emitted.

Tools Used

Manual Review

Recommendations

implement updateMetadata in createAndDeposit function

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[INVALID] Non-Unique Metadata

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.