Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Violation of ERC-721 Standard in DatasetAccessToken:tokenURI Implementation

igdbaxe

Summary

The tokenURI function in the DatasetAccessToken contract does not comply with ERC-721 standards, as it fails to revert when a non-existent tokenId is queried. This deviation from the standard could lead to unexpected behavior or integration issues, particularly for applications or contracts expecting standard ERC-721 behavior. Adding a check for tokenId existence within the tokenURI function would bring the implementation into compliance, ensuring interoperability and preventing potential errors in external applications.

Vulnerability Derails

The tokenURI function in the DatasetAccessToken contract returns a URI based on a baseURI and the knowledgeId but lacks a check for whether the tokenId exists. Without this check, querying tokenURI with an invalid tokenId will not revert, violating ERC-721 standards.

Here is the relevant code:

tokenURI: The function simply concatenates the baseURI with knowledgeId without checking if tokenId is valid.

Code snippet:
solidity
function tokenURI(uint256) public view virtual override returns (string memory) {
return string(abi.encodePacked(baseURI, knowledgeId));
}

The ERC-721 standard requires the implementation to revert if a non-existent tokenId is provided. Failure to do so could lead to unexpected behavior and non-standard compliance issues for integrators.

Impact

The DatasetAccessToken contract’s tokenURI function does not adhere to the ERC-721 standard requirements. Specifically, it fails to revert when queried with a non-existent tokenId. According to the ERC-721 specification, the tokenURI function must revert if an invalid tokenId is passed. This non-compliance can lead to unexpected behavior when external applications or contracts interact with DatasetAccessToken. Integrators relying on standard ERC-721 behavior may face inconsistencies, causing potential errors in user interfaces or interoperability issues with other contracts and protocols expecting compliance.

Tools Used

Manual Review

Recommended Mitigation Steps

To ensure ERC-721 standard compliance, add an _exists(tokenId) check in the tokenURI function to confirm the existence of the tokenId before proceeding. This can be implemented as follows:
solidity
function tokenURI(uint256 tokenId) public view virtual override returns (string memory) {
require(_exists(tokenId), "ERC721: URI query for nonexistent token");
return string(abi.encodePacked(baseURI, knowledgeId));
}

Adding this check will ensure the function reverts on non-existent tokenIds, aligning the contract with the ERC-721 standard.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.