GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Non-Unique Token URI Metadata

n3smaro

Summary

The URI metadata generated for NFTs in the GivingThanks contract does not include the tokenCounter and charity making it possible for identical donations to result in duplicate URIs.

Vulnerability Details

The _createTokenURI function creates metadata that does not incorporate tokenCounter and charity address, meaning that multiple donations with identical parameters (donor address, timestamp, and amount) could generate duplicate URIs. This undermines the uniqueness of each NFT, a core aspect of its identity and traceability.

Impact

Duplicate metadata for NFTs can lead to ambiguity and reduce the reliability of donation receipts as unique records. This could erode trust in the platform and detract from the donor experience.

Tools Used

Manual Code Review

Recommendations

Include tokenCounter and charity as part of the metadata in _createTokenURI to ensure each URI is unique. For example:

function _createTokenURI(address donor, uint256 date, uint256 amount, uint256 tokenId, address charity) internal pure returns (string memory) {
string memory json = string(
abi.encodePacked(
'{"donor":"',
Strings.toHexString(uint160(donor), 20),
'","charity":"',
Strings.toHexString(uint160(charity), 20),
'","date":"',
Strings.toString(date),
'","amount":"',
Strings.toString(amount),
'","tokenId":"',
Strings.toString(tokenId),
'"}'
)
);
// Encode and return as before
}
Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.