GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Wrong tokenURI is set for each NFT mint

levi678

Summary

In GivingThanks.sol#donate(address) function _setTokenURI(tokenCounter, uri) is called after _mint(msg.sender, tokenCounter) causing nft to be minted with empty tokenURI

Vulnerability Details

_setTokenURI(tokenCounter, uri) set the uri to corresponding tokenCounter but issue in this function is that it is called after _mint(msg.sender, tokenCounter) mint function is called before a correct uri is set to tokenCounter making the nft to be minted with wrong uri

Impact

Aftee _setTokenURI(tokenCounter, uri) is called tokenCounter is incremented and after that if other donor calls donate(address) the tokenCounter will not have uri set causing the nft to be minted with empty uri

Tools Used

Manual Review

Recommendations

Change the order of _mint(msg.sender, tokenCounter) and _setTokenURI(tokenCounter, uri) as follows

function donate(address charity) public payable {
require(registry.isVerified(charity), "Charity not verified");
(bool sent,) = charity.call{value: msg.value}("");
require(sent, "Failed to send Ether");
- _mint(msg.sender, tokenCounter);
// Create metadata for the tokenURI
string memory uri = _createTokenURI(msg.sender, block.timestamp, msg.value);
_setTokenURI(tokenCounter, uri);
+ _mint(msg.sender, tokenCounter);
tokenCounter += 1;
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.