_baseURI() Not Overridden in tokenURI() (Incorrect Metadata URI Generation)
Description
The tokenURI() function in SoulboundProfileNFT constructs and returns on-chain metadata for each NFT. However, the _baseURI() function is not overridden, meaning it returns an empty string ("")
Since _baseURI() is concatenated with the Base64-encoded metadata, the resulting tokenURI will be incorrect, making it impossible for applications (such as marketplaces or dApps) to properly fetch and display metadata for the NFTs.
Impact
Metadata is incorrectly formatted and unusable, preventing NFT details from being displayed properly.
Marketplaces, dApps, and external services that rely on tokenURI() will not be able to retrieve profile details, breaking integrations.
Users will not see their profile information (name, age, image) associated with their NFT, reducing usability.
Proof of concept
1- The tokenURI() function constructs the metadata URI as follows:
2- Since _baseURI() returns "", the resulting URI will be:
eyJuYW1lIjoiSm9obiBEb2UiLCJkZXNjcmlwdGlvbiI6IkEgc291bGJvdW5kIGRhdGluZyBwcm9maWxlIE5GVC4iLCJhdHRyaWJ1dGVzIjpbeyJ0cmFpdF90eXBlIjoiQWdlIiwidmFsdWUiOjMwfV0sImltYWdlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9pbWFnZXMvam9obmRvZS5wbmcifQ==
This is not a valid metadata URI because it lacks the required prefix
(data:application/json;base64,)
Tools Used
manual
Recommendations
Override _baseURI() to return the correct prefix for Base64-encoded metadata:
Now, the tokenURI will be properly formatted, allowing dApps and marketplaces to fetch and display metadata correctly.
Appeal created
invalid_baseURI_not_override
`_baseURI` can remains empty, the token URI will have a valid JSON. Rest can be handled in the app interface.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.