Incorrect ERC1155 Metadata URI in OWPIdentity and MembershipERC1155
Summary
Both OWPIdentity and MembershipERC1155 contracts inherit IERC1155MetadataURI through OpenZeppelin’s ERC1155Upgradeable contract. The IERC1155MetadataURI interface includes a single function, uri(uint256 id), intended for off-chain use to retrieve metadata URIs for tokens. This function must conform to the EIP-1155 standard to ensure compatibility with external software and metadata standards.
Vulnerability Details
Current implementations in the specified contracts does not follow the standard.
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/OWPIdentity.sol#L27
https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/tokens/MembershipERC1155.sol#L117
Impact
The inability to conform to the URI standard can prevent integration with off-chain systems that rely on the uri function to retrieve metadata.
Tools Used
Manual review.
Recommendations
Consider correctly setting the URIs in the ERC1155 contracts.
Other option would be to adjust the OZ implementation and remove the ``IERC1155MetadataURI`.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.