Core Contracts

Summary

All RWA cannot be known in advance and it is likely that more tokens will be minted and added to IPFS but it cannot be done easily currently, requiring changing the complete baseURI on every mint.

Vulnerability Details

Currently NFTs metadata are set with a baseURI which returns the metadata for every tokenId, tokenId being appended at the end of the IPFS hash to retrieve the tokenURI per token

An IPFS folder hash (aka CID) is computed corresponding to every file in the folder. In the future it is likely that more NFT will be minted which means more files will have to be added in the folder thus it will generate a new baseURI ipfs hash.

but tokenURI cannot be set on mint which means after or before every mint, baseURI will have to be set by the owner using setBaseUri

Impact

The impact is medium as:

• mint is used by users while setBaseUri is used by the owner so until the owner updates the baseUri, the user will have an NFT metadata not corresponding to his NFT if it was not already included in the baseURI

• Marketplaces usually requires long time before refreshing metadata and if baseURI is frequently changed, it will cause NFTs on marketplace to not represent the current real value

Likelihood is high as the protocol will likely have more RWA after the deployment to production thus requirying setting base uri on every new house.

Recommendations

Two possibilities:

• Mint should be executed by the owner or another new role and also include a uri param which would call _setTokenURI on mint

• To let users mint, a preMint function could be added which would let the owner or another role set the tokenURI before minting and mint would require preMint to be called first.