`setURI` Function Will Break Off-Chain Metadata Tracking
Summary
The setURI function in the MembershipERC1155 and OWPIdentity contracts allows admin and creator to update the URI for all tokens. However, the function does not emit the required URI event when the URI is changed, which violates the ERC-1155 standard. This could lead to off-chain systems (such as wallets and marketplaces) not being notified of URI changes, potentially causing incorrect metadata display for tokens.
Vulnerability Details
The ERC-1155 standard mandates that a URI event must be emitted whenever the URI for any token is updated. However, in both the MembershipERC1155 and OWPIdentity contracts, the setURI function does not emit the URI event. This omission may cause off-chain systems that rely on the URI event to fail to update the token metadata, leading to inconsistent or outdated information being displayed to users.
MembershipERC1155:
OWPIdentity:
In both cases, the URI event is not emitted when the setURI function is called to change the URI.
Impact
Failure to emit the URI event when the URI is updated can cause the following issues:
Off-chain systems, such as metadata services, wallets, or marketplaces, may not be aware of URI changes and may continue to show outdated or incorrect metadata for the tokens.
The contracts violates the "MUST" statement in the EIP-1155 standard, which could lead to compatibility issues with third-party tools and platforms that expect the
URIevent to be emitted.
Tools Used
Manual review
Recommendations
Emit the URI Event in setURI: Ensure that the URI event is emitted whenever the URI is updated in the setURI function. Here’s how this can be fixed:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.