Non-Standard `URI `Implementation in `OWPIdentity`
Summary
The OWPIdentity contract, which is based on the ERC1155 standard, incorrectly implements the uri function by concatenating super.uri with the tokenId directly. According to ERC1155 requirements, the URI should use a replacement mechanism for {id} to ensure metadata compatibility. The current implementation may lead to compliance and client compatibility issues, so it’s recommended to update the function to follow the correct ERC1155 URI format.
Vulnerability Details
The OWPIdentity contract inherits from ERC1155 and aims to implement the expected practices of the ERC1155 standard.
In the current implementation of the uri function, the contract concatenates super.uri with tokenId directly, as shown below:
However, according to the EIP-1155 specification, the URI should reference a JSON file that adheres to the “ERC-1155 Metadata URI JSON Schema.”
Furthermore, OpenZeppelin’s documentation on ERC1155 recommends using a substitution mechanism instead of concatenation to include the token type ID in the URI, indicating that:
“This implementation returns the same URI for all token types. It relies on the token type ID substitution mechanism. Clients calling this function must replace the {id} substring with the actual token type ID.”
This approach aligns with the ERC-1155 standard and ensures consistent URI handling across clients. Direct concatenation, as implemented here, may lead to non-compliance with the ERC1155 standard, potentially affecting compatibility.
Impact
The OWPIdentity contract may not conform to the ERC1155 standard, potentially leading to issues with client compatibility and metadata retrieval.
Tools Used
Manual Review
Recommendations
It is recommended to revise and update the design of uri.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.