NFT tokens can have the same token URI
Summary
ERC-721 specifically requires that each token has a unique URI associated with it , but this contract does not follow the rules.
Vulnerability Details
When a user calls trickOrTreatfunction he/she provides name of the treat which is needed to find a struct in
the mapping treatList.
During the process of minting an NFT, the internal function _setTokenUri is called. This function receives two parameters: the token ID and the token URI data. The token URI data is obtained from the struct associated with the treat name.
However, after minting, the mapping is not updated correctly. Specifically, the line delete treatList[_treatName] is not executed. As a result, another user can provide the same treat name and receive an NFT with the same URI metadata. The only difference between the two NFTs will be their token IDs.
Impact
This is a deviation from ERC721 NFT standards, each token should have a unique URI. The purpose of the URI is to provide clear, distinguishable metadata for each token. Sharing URIs defeats this purpose.
Recommendations
To fix this issue, the contract should ensure that the treatList mapping is updated appropriately after each successful mint operation. Without this update, the contract fails to maintain the uniqueness of NFTs based on treat names, potentially leading to unintended duplicates.
Maybe that is not a bug but a feature, but if you want to have multiple NFTs with the same URI better consider to use
ERC1155 standart.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.