Root + Impact

Description

• The encodeTokenId() function is designed to create unique token identifiers for memorabilia items by combining collection IDs with item IDs, ensuring no conflicts between different collections and items within the ERC1155 standard. Under normal user experience expectations, token IDs should be reasonably sized numbers that display clearly in wallets, marketplaces, and user interfaces to provide intuitive identification and navigation.

• However, the encoding mechanism uses a 128-bit left shift operation that generates astronomically large token IDs, with even the first memorabilia item (collection 100, item 1) producing a token ID of 13407807929942597099574024998205846016. These massive numbers create poor user experience in wallet interfaces, marketplace displays, and any user-facing applications that need to present token information in a human-readable format.

The vulnerability exists in the choice of 128-bit shifting which, while mathematically sound for avoiding collisions, creates token IDs that are impractical for user interfaces. The large numbers are difficult to read, copy, reference, and display in standard wallet and marketplace interfaces that expect more manageable token identifier ranges.

Risk

Likelihood:

• The encoding issue manifests immediately upon creation of any memorabilia collection and item, as all memorabilia tokens will have collection IDs starting from 100, resulting in consistently massive token IDs for all memorabilia items.

• The problem affects every user interaction with memorabilia tokens including wallet displays, marketplace listings, transaction histories, and any application interface that needs to present token information to users.

Impact:

• Poor user experience in wallet and marketplace interfaces where massive token IDs are difficult to read, reference, or distinguish, potentially causing user confusion and reducing the usability of the memorabilia system without affecting core functionality.

• Display and usability issues in third-party applications and interfaces that may truncate, misformat, or struggle to handle the large token ID numbers, creating inconsistent user experience across the ecosystem but without any financial or security implications.

Proof of Concept

Recommended Mitigation

The fix reduces the bit shift from 128 to 32 bits, creating more user-friendly token IDs while still maintaining sufficient collision protection for realistic collection and item quantities. This approach supports up to 4.2 billion collections and 4.2 billion items per collection, which exceeds any practical festival memorabilia needs while providing token IDs that display clearly in user interfaces and maintain better user experience across the ecosystem.