GivingThanks

First Flight #28

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Token URI Generation Fails for Multiple Donations in the Same Block

mo_

Description
The _createTokenURI function generates a token URI based on the donor's address, the date, and the donation amount. However, it does not account for the scenario where multiple donations are made by the same donor within the same block. As a result, donations made in the same block will generate identical token URIs, leading to potential conflicts and incorrect metadata for the tokens. Integrating the tokenCounter into the URI will ensure uniqueness.

Code Snippet

function _createTokenURI(address donor, uint256 date, uint256 amount) internal pure returns (string memory) {//@audit donations in the same blocks will result in same token uris !

// Create JSON metadata

string memory json = string(

abi.encodePacked(

'{"donor":"',

Strings.toHexString(uint160(donor), 20),

'","date":"',

Strings.toString(date),

'","amount":"',

Strings.toString(amount),

'"}'

)

);

Impact

Token URI Conflicts: If a donor makes multiple donations in the same block, all tokens will have the same URI, which can lead to confusion and incorrect representation of the donations.
Loss of Metadata Integrity: The uniqueness of each token's metadata is compromised, which is critical for tracking and verifying donations.

Recommendation
To ensure that each token URI is unique, integrate the tokenCounter into the URI generation process. This will provide a unique identifier for each token based on the order of minting.

Code Snippet

function _createTokenURI(address donor, uint256 date, uint256 amount, uint256 tokenCounter) internal pure returns (string memory) {

// Create JSON metadata

string memory json = string(

abi.encodePacked(

'{"donor":"',

Strings.toHexString(uint160(donor), 20),

'","date":"',

Strings.toString(date),

'","amount":"',

Strings.toString(amount),

'","tokenCounter":"',

Strings.toString(tokenCounter),

'"}'

)

);

// Encode in base64 using OpenZeppelin's Base64 library

string memory base64Json = Base64.encode(bytes(json));

// Return the data URL

return string(abi.encodePacked("data:application/json;base64,", base64Json));

}

Conclusion

Modifying the _createTokenURI function to include the tokenCounter will ensure that each token generated, even by the same donor in the same block, has a distinct URI. This change is essential for maintaining the integrity and uniqueness of token metadata.

Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.