Snowman Merkle Airdrop

​

​

* Normally, when setting a metadata URI (such as an SVG URI) for NFTs, the input should be validated to ensure it's non-empty and conforms to expected URI schemes. This helps prevent incorrect or malicious metadata configurations.

​

* In the constructor of the `Snowman` contract, the `s_SnowmanSvgUri` is directly assigned without validation. If an empty or malformed URI is passed, it will break the visual representation and metadata of all minted NFTs.

​

constructor(string memory _SnowmanSvgUri) ERC721("Snowman Airdrop", "SNOWMAN") Ownable(msg.sender) {

@> s_SnowmanSvgUri = _SnowmanSvgUri;

}

​

​

**Likelihood**:

​

* This will occur if the deployer mistakenly passes an empty string, whitespace, or malformed URI during deployment.

​

**Impact**:

​

* All NFTs minted under this contract will have invalid metadata rendering in wallets and marketplaces.

​

* Breaks NFT user experience and potentially affects floor price due to invisible/invalid NFTs.

​

The following solidity example shows that Snowman contract can be deployed with empty URI's.

// Deploy the Snowman contract with an empty URI

string memory emptyURI = "";

Snowman snowman = new Snowman(emptyURI);

​

// mint a token

snowman.mintSnowman(user, 1);

​

// tokenURI will now contain an empty image field

string uri = snowman.tokenURI(0);

// Resulting JSON metadata will be invalid for marketplaces

​

Add a require statement to make sure non empty URI's are added.

constructor(string memory _SnowmanSvgUri) ERC721("Snowman Airdrop", "SNOWMAN") Ownable(msg.sender) {

- s_SnowmanSvgUri = _SnowmanSvgUri;

+ require(bytes(_SnowmanSvgUri).length > 0, "Snowman: Empty URI not allowed");

+ s_SnowmanSvgUri = _SnowmanSvgUri;

}