GivingThanks

Summary

The GivingThanks contract references the _setTokenURI function to assign metadata (URI) to the minted ERC721 tokens. However, this function does not exist in the contract, which will lead to a compilation error or runtime failure.

Vulnerability Details

The GivingThanks contract inherits from ERC721URIStorage, which includes a setTokenURI function that allows setting the URI for a specific token. However, the contract incorrectly calls a non-existent function, _setTokenURI. In Solidity, functions with an underscore (_) prefix are typically internal functions, but in this case, _setTokenURI is not defined anywhere in the contract or inherited from the ERC721URIStorage contract. This can cause unexpected behavior, as the contract would fail to compile or deploy without correcting this issue.

Impact

• Compilation Failure: The contract will not compile due to the missing function definition. Specifically, the line _setTokenURI(tokenCounter, uri); will trigger a compile-time error.

• Functionality Breakage: Even if the code compiles in a different context or with other modifications, failing to properly set the token URI would result in the lack of metadata being associated with the minted tokens. This would render the minted tokens incomplete and missing critical donor information (e.g., donation amount, donor address, and timestamp).

• User Experience Issues: Users may receive tokens without metadata, which defeats the purpose of creating donation receipts via NFTs. It reduces trust and transparency in the donation process.

Tools Used

Manual Code Review: The issue was identified through reviewing the Solidity contract code manually.

Recommendations

Replace _setTokenURI with setTokenURI: The ERC721URIStorage contract already includes a public function setTokenURI to set a token's URI. Update the function call from _setTokenURI(tokenCounter, uri) to setTokenURI(tokenCounter, uri).