Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: low
Invalid

Missing Empty URI Validation in `WeatherNft.sol` Constructor

khan_afzali

Root + Impact

Description

  • The constructor of the WeatherNft.sol contract maps weather types to their corresponding image URIs without validating that the URIs are non-empty strings. The code only checks that the arrays have matching lengths but doesn't verify the content quality.

  • If the contract is deployed with empty strings in the weatherURIs array, NFTs will be created with missing image references.
    This allows initialization with empty URIs, which will break NFT metadata resolution

for (uint256 i; i < weathers.length; ++i) {
s_weatherToTokenURI[weathers[i]] = weatherURIs[i];
}


Impact:

  • NFTs could be minted with missing image URIs, resulting in broken metadata. This would lead to NFTs that don't properly display in wallets, reducing their utility and value. Once deployed, there's no mechanism to update the URIs for weather types.

Proof of Concept

weatherURIs = ["valid_uri_1", "", "valid_uri_3", " ", "valid_uri_5", "valid_uri_6"];

Recommended Mitigation

Add validation to ensure that each URI is non-empty:

This ensures that all weather states have valid image references when the contract is deployed.

for (uint256 i; i < weathers.length; ++i) {
+ require(bytes(weatherURIs[i]).length > 0, "Empty URI not allowed");
s_weatherToTokenURI[weathers[i]] = weatherURIs[i];
}
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.