Root + Impact

Root: The constructor accepts the _SnowmanSvgUri parameter without validating that it's not an empty string, allowing the contract to be deployed with invalid or missing metadata URI.

Impact: NFTs could be deployed with blank or invalid metadata, resulting in broken token URIs that display no image or description, severely degrading the user experience and NFT functionality.

Description

• Normal Behavior: Constructor parameters that define critical contract functionality should be validated to ensure they contain valid, non-empty values before contract deployment.

• Specific Issue: An empty string passed as _SnowmanSvgUri will result in all NFTs having malformed metadata with missing images, making the tokens effectively useless for their intended purpose as collectible NFTs.

Risk

Likelihood: Medium

• Deployment scripts or manual deployments could accidentally pass empty strings due to configuration errors

• No validation exists to catch this error before contract deployment, making it a permanent issue once deployed

Impact: Medium

• Broken NFT Functionality: All minted NFTs will have invalid metadata and missing images, rendering them essentially worthless

• Permanent Deployment Issue: Once deployed with empty URI, the contract cannot be fixed and would require redeployment

• User Experience Degradation: NFT holders receive tokens that cannot display properly in wallets or marketplaces

Recommended Mitigation

Add validation for the SVG URI parameter to prevent deployment with empty or invalid metadata.