Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`MembershipERC1155` is not EIP-1155 compliant

zukanopro

Vulnerability Details

EIP-1155 states the following about ERC1155Metadata_URI extension:

The optional ERC1155Metadata_URI extension can be identified with the ERC-165 Standard Interface Detection.

If the optional ERC1155Metadata_URI extension is included:

  • The ERC-165 supportsInterface function MUST return the constant value true if 0x0e89341c is passed through the interfaceID argument.

  • Changes to the URI MUST emit the URI event if the change can be expressed with an event (i.e. it isn’t dynamic/programmatic).

But we see that:

  • MembershipERC1155 does support the extension (IMembershipERC1155), and returns the required constant via supportsInterface

  • It does not emit the URI event as required, when it's changed via function setURI:

function setURI(string memory newURI) external onlyRole(DAO_CREATOR) {
_setURI(newURI);
}

ERC1155Upgradable#_setURI() function:

function _setURI(string memory newuri) internal virtual {
ERC1155Storage storage $ = _getERC1155Storage();
$._uri = newuri;
}

Which will break the specification

Impact

Protocols integrating with MembershipERC1155 may work incorrectly.

Recommendations

emit the URI event as required if it has changed.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

zukanopro Submitter
about 1 year ago
0xbrivan2 Lead Judge
about 1 year ago
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.