Vulnerability Details

Bug Description

The EggstravaganzaNFT contract lacks an implementation of the standard tokenURI function from the ERC721 metadata extension. This function is crucial because it defines how each token's metadata (image, name, attributes, etc.) is accessed. Without it, external platforms like OpenSea, LooksRare, wallets, or block explorers cannot retrieve or render metadata for these NFTs.

The absence of tokenURI makes the tokens non-functional in any environment that depends on metadata, effectively rendering them invisible or "blank" in NFT marketplaces. This breaks the visual and collectible value proposition of the NFTs, especially in a context like EggHuntGame, where collectible eggs likely have visual or rarity traits that players care about.

Impact

• Severity: Medium

• Unusable NFTs: Without metadata, the NFTs are not visually represented on most platforms. This directly harms user experience, as collectors typically expect their NFTs to show unique images or properties.

• Marketplace Integration Failure: Platforms like OpenSea rely on tokenURI populating NFT listings. Without it, NFTs appear as "unidentified" or are excluded entirely from search and discovery.

• Game Immersion Broken: If EggHuntGame relies on metadata for in-game visuals or mechanics (e.g., different egg types, rarity, attributes), those systems cannot work as intended.

• Lack of Verifiability: Players cannot verify that their egg has the right image or traits, which may cause trust issues, particularly in competitive or reward-driven environments.

Tools Used

• Manual Review

Recommended Mitigation Steps

1. Implement tokenURI(uint256 tokenId): Use OpenZeppelin's ERC721URIStorage or override tokenURI manually to return a URI pointing to your metadata storage (IPFS, centralized, or dynamic).

   Example:

   string private baseURI;

   ​

   function setBaseURI(string memory _baseURI) external onlyOwner {

   baseURI = _baseURI;

   }

   ​

   function tokenURI(uint256 tokenId) public view override returns (string memory) {

   require(_exists(tokenId), "ERC721Metadata: URI query for nonexistent token");

   return string(abi.encodePacked(baseURI, Strings.toString(tokenId), ".json"));

   }

   ​

2. Integrate Metadata Hosting: Host metadata JSON files (either statically or dynamically via an API) that define each token’s name, description, image, and attributes.

3. Testing & Marketplace Validation: After deployment, mint a test NFT and validate its appearance on OpenSea, Zora, and wallets like MetaMask to ensure metadata is loading correctly.

Proof of Concept

Step-by-step example demonstrating the issue:

1. Mint an NFT: The EggHuntGame calls mintEgg(player, tokenId) → an NFT is minted to the player.

2. User Opens OpenSea or Wallet: The user checks their wallet or connected marketplace.

3. No Metadata Appears: The NFT shows up as a generic placeholder or isn't visible at all. There is no image, name, or description.

4. Marketplace Logs Reveal: The platform attempts to call tokenURI(tokenId) but receives a revert or default fallback because the function is not defined.

5. User Confusion Ensues: The player cannot view or interact with their NFT, which negatively impacts the perception of the product and may reduce retention.