Incorrect Token Existence Check in tokenURI function
Vulnerability Details
The function tokenURI(uint256 tokenId) in the SoulboundProfileNFT.sol incorrectly checks for token existence using:
if (ownerOf(tokenId) == address(0))
Why is this incorrect?
ownerOf(tokenId)does not returnaddress(0)for non-existent tokens; it instead reverts.As a result, this check will never execute, and any query for a non-existent token will fail with an unhandled revert:
This leads to a denial of service (DoS) risk where users or external applications calling
tokenURIfor an invalid token will have their transactions revert unexpectedly.
Impact
Impact: Contract functions relying on tokenURI may unexpectedly revert, leading to denial of service (DoS) for valid users.
Tools Used
manual review
Recommendations
Use _exists(tokenId), which correctly verifies if a token exists:
if (!_exists(tokenId)) {
revert ERC721Metadata__URI_QueryFor_NonExistentToken();
}
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.