DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

TokenUri encoded in Base64 could cause interoperability issues

f3d0ss

Summary

The tokenURI method encodes the NFT metadata in Base64. While Base64 encoding is common in some contexts, in this implementation it may be unnecessary and counterproductive. Encoding the JSON metadata in Base64 can complicate off-chain processing, potentially cause interoperability issues with platforms expecting plain JSON, and lead to increased gas consumption due to additional encoding overhead.

Vulnerability Details

The current implementation of tokenURI encodes a JSON metadata object in Base64. This results in a URI that is not easily readable or parsable by off-chain applications expecting a standard JSON metadata URI.
The additional encoding layer introduces extra computational steps, which may increase gas costs during the tokenURI call.
There is also a potential risk for tooling incompatibility; some NFT platforms or metadata aggregators might expect a plain JSON response and may not correctly decode Base64, leading to issues in displaying NFT details.

Impact

Off-chain systems may not be able to correctly interpret or display NFT metadata, potentially impacting NFT applications that rely on standard metadata formats.
The extra Base64 encoding increases the complexity of the tokenURI and, in some cases, may incur additional gas expenses.
If the Base64 encoded metadata is not supported or expected by external platforms, it may lead to broken user experiences, underrepresentation of the NFT’s attributes, or even rejection of the NFT on some platforms.

Recommendations

Remove the Base64 encoding layer from the tokenURI function. Instead of encoding the metadata into Base64, return a plain JSON metadata string or a direct URL pointing to off-chain metadata storage that serves the JSON directly. For example, modify the tokenURI function as follows:

function tokenURI(uint256 tokenId) public view virtual override returns (string memory) {

if (ownerOf(tokenId) == address(0)) {

revert ERC721Metadata__URI_QueryFor_NonExistentToken();

}

string memory profileName = _profiles[tokenId].name;

uint256 profileAge = _profiles[tokenId].age;

string memory imageURI = _profiles[tokenId].profileImage;

return string(

abi.encodePacked(

_baseURI(),

- Base64.encode(

- bytes( // bytes casting actually unnecessary as 'abi.encodePacked()' returns a bytes

- abi.encodePacked(

'{"name":"', profileName, '", ',

'"description":"A soulbound dating profile NFT.", ',

'"attributes": [{"trait_type": "Age", "value": ', Strings.toString(profileAge), '}], ',

'"image":"', imageURI, '"}'

)

- )

);

}

Updates

Appeal created

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.