Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Missing TokenURI Function in RAACNFT contract Makes All NFTs Look the Same and Unusable

udogodwin2k22

Summary

The RAACNFT.sol contract, which creates NFTs to represent real estate assets, doesn’t have a tokenURI function. This function is needed to give each NFT its own unique details (like a house’s address or picture). Without it, all NFTs either have no details or look identical, which can confuse users and break how the NFTs work in the RAAC lending protocol. Just having a baseURI that the owner can change isn’t enough to fix this.

Vulnerability Details

In the code, the contract sets up a baseURI, which is a starting point for where NFT details are stored (like a web link to a folder).

string public baseURI = "ipfs://QmZzEbTnUWs5JDzrLKQ9yGk1kvszdnwdMaVw9vNgjCFLo2/";

function _baseURI() internal view override returns (string memory) {

return baseURI;

}

The baseURI is set to an IPFS link (a place online where files can be saved), and the owner can update it with this function:

function setBaseUri(string memory _uri) external override onlyOwner {

baseURI = _uri;

emit BaseURIUpdated(_uri);

}

But here’s the issue, there’s no tokenURI function to use this baseURI and add a unique number (called tokenId) for each NFT. Normally, tokenURI would take the baseURI and add something like “1.json” or “2.json” to point to different files for each NFT. Without it, the contract can’t tell anyone what each NFT represents. If all NFTs share one metadata file (which is unlikely for unique houses), baseURI alone could suffice, but this contradicts the real estate asset representation goal.

The base ERC721 standard doesn’t require tokenURI, it’s optional in the ERC721Metadata extension. However, tokenURI is widely adopted for metadata (name, description, image), making it a practical necessity. For assets like houses, unique metadata is critical. Each NFT needs its own URI linking to specific details (e.g., address, size, value).

For real estate, each NFT should link to its own house, like Token 1 for “123 Main St” and Token 2 for “456 Oak Rd.” Without tokenURI, All NFTs might point to the same baseURI, making them look the same.

Impact

The lending protocol might use NFTs as proof of ownership or collateral for loans. If they don’t show unique houses, lenders can’t tell what they’re worth or which property they’re tied to, breaking trust and usability.
Older NFTs (e.g., Token 1 for “House A”) could lose their original meaning if baseURI changes, showing new data (e.g., “House B”). Users might think they own the wrong house.

Tools Used

Manual Review

Recommendations

To fix this and make the NFTs work properly for real estate assets, Add a tokenURI Function

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Appeal created

inallhonesty Lead Judge 2 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Metadata not properly configured

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.