DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Profile Existence Check on SoulboundProfileNFT contract

mallickpramod07

Summary

In the tokenURI function, we should add a check to ensure if the token exists before accessing its metadata to avoid potential issues.

Vulnerability Details

To ensure that the profile existence check is properly implemented, we can add a check in the tokenURI function to verify that the token exists before accessing its metadata.

Impact

Potential issues can arise when querying metadata for non-existent tokens.

Tools Used

no tools

Recommendations

Please follow the below steps.

Step1 - Modify the tokenURI function to add check.

function tokenURI(uint256 tokenId) public view virtual override returns (string memory) { if (!_exists(tokenId)) { revert ERC721Metadata__URI_QueryFor_NonExistentToken(); } string memory profileName = _profiles[tokenId].name; uint256 profileAge = _profiles[tokenId].age; string memory imageURI = _profiles[tokenId].profileImage; return string( abi.encodePacked( _baseURI(), Base64.encode( bytes( abi.encodePacked( '{"name":"', profileName, '", ', '"description":"A soulbound dating profile NFT.", ', '"attributes": [{"trait_type": "Age", "value": ', Strings.toString(profileAge), "}], ", '"image":"', imageURI, '"}' ) ) ) ) ); }

Step2- Implement the following code to Test the tokenURI function for a non-existent token and expect it to revert with the appropriate error. And test the mintProfile function to ensure that a profile can be minted and that the tokenURI function returns a valid URI for the minted token.

`// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

import "forge-std/Test.sol";
import "../src/SoulboundProfileNFT.sol";

contract SoulboundProfileNFTTest is Test {
SoulboundProfileNFT private nft;

function setUp() public {
nft = new SoulboundProfileNFT();
}
function testTokenURIForNonExistentToken() public {
uint256 nonExistentTokenId = 9999;
vm.expectRevert(SoulboundProfileNFT.ERC721Metadata__URI_QueryFor_NonExistentToken.selector);
nft.tokenURI(nonExistentTokenId);
}
function testMintProfile() public {
nft.mintProfile("Alice", 30, "ipfs://profileImage");
uint256 tokenId = nft.profileToToken(address(this));
assertEq(tokenId, 1);
string memory uri = nft.tokenURI(tokenId);
assert(bytes(uri).length > 0);
}

}`

Updates

Appeal created

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_URI_injection_scam_underaged_bad_name_photo_etc

Scamming/phishing is not the protocol problem, that's a user mistake. NFT are unique, even if someone does a copy of your profile (which is also possible in web2), I consider it informational. Injection is a problem for the web2 part of the protocol, not a bug here. For the age, it depends on the countries law and future medicine. Anyways, that's more an ethical/political problem, not a bug.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.