Submission Details
Severity:
`MembershipERC1155.uri()` & `OWPIdentity.uri()` don't check if the tokenId exist before returning the token URI, violating ERC1155 standards
## Summary
`MembershipERC1155.uri()` & `OWPIdentity.uri()` doesn't check if the tokenId exist before returning the token URI.
## Vulnerability Details
`MembershipERC1155.uri()` & `OWPIdentity.uri()` returns the token uri based on its id,but it was noticed that these functions don't check if the token/NFT exists before returning URI which will result in returning incorrect/invalid URI vioalting ERC1155 token standrd.
## Proof of Concept
[MembershipERC1155.uri()](https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/tokens/MembershipERC1155.sol#L117C4-L124C6)
```javascript
function uri(uint256 tokenId) public view virtual override returns (string memory) {
return string(abi.encodePacked(
super.uri(tokenId),
Strings.toHexString(uint256(uint160(address(this))), 20),
"/",
Strings.toString(tokenId)
));
}
```
[OWPIdentity.uri() ](https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/OWPIdentity.sol#L27C1-L29C6)
```javascript
function uri(uint256 tokenId) public view virtual override returns (string memory) {
return string.concat(super.uri(tokenId), tokenId.toString());
}
```
## Tools Used
Manual Review.
## Recommendations
Update `uri()` functions to check for the tokenId if it exists before execution, if not revert the txn.
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.