QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

LPNFT tokenURI not implemented

jsondoge

Summary

Even though name and symbol are provided tokenURI is not, defaulting to an empty string. Since NFTs are transferrable, they can still be listed on outside markets, where tokenURI is used.

Vulnerability Details

When implementing ERC721 standard two functions are used when constructing tokenURI (tokenURI and _baseURI) and either of them can be overridden to modify it.

function tokenURI(uint256 tokenId) public view virtual returns (string memory) {
_requireOwned(tokenId);
string memory baseURI = _baseURI();
// @audit if baseURI == "" -> then return ""
return bytes(baseURI).length > 0 ? string.concat(baseURI, tokenId.toString()) : "";
}
/**
* @dev Base URI for computing {tokenURI}. If set, the resulting URI for each
* token will be the concatenation of the `baseURI` and the `tokenId`. Empty
* by default, can be overridden in child contracts.
*/
function _baseURI() internal view virtual returns (string memory) {
return "";
}

Since the LPNFT after inheriting ERC721 doesn't modify any of these, it will default to returning an empty string.

Impact

Lack of tokenURI implementation will default to empty string and no data if the NFTs are listed on third party marketplaces

Tools Used

Manual review

Recommendations

Possible implementation

string private baseURI;
constructor(
string memory _name,
string memory _symbol,
string memory _baseURI,
address _router
) ERC721(_name, _symbol) {
baseURI = _baseURI;
router = UpliftOnlyExample(payable(_router));
}
function _baseURI() internal view override returns (string memory) {
return baseURI;
}
Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_LPNFT_no_tokenURI

ERC721 Metadata extension is optional in the standard.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!