Submission Details
Impact:
Likelihood:
Non standard URI format
Root + Impact
Description
The ERC-1155 URI standard format is:
https://example.com/api/item/{id}.json/
-
The
{id}placeholder is literally the string{id}, not a variable -
If the contract is returning explicid
idthen it must return 64 characterToken ID
1becomes0000000000000000000000000000000000000000000000000000000000000001
-
The URI ends with
.json
Risk
Impact:
-
Wallet/Marketplace Incompatibility
-
Broken metadata displayin dApps
Recommended Mitigation
Follow standard in
function uri(uint256 tokenId) public view override returns (string memory)
// Override URI to handle collections and items
function uri(uint256 tokenId) public view override returns (string memory) {
// Handle regular passes (IDs 1-3)
if (tokenId <= BACKSTAGE_PASS) {
return
string(
abi.encodePacked(
"ipfs://beatdrop/",
tokenIdToString(tokenId),
".json"
)
);
}
// Decode collection and item IDs
(uint256 collectionId, uint256 itemId) = decodeTokenId(tokenId);
// Check if it's a valid memorabilia token
if (collections[collectionId].priceInBeat > 0) {
// Return specific URI for this item
// e.g., "ipfs://QmXXX/metadata/5" for item #5
return
string(
abi.encodePacked(
collections[collectionId].baseUri,
"/metadata/",
tokenIdToString(itemId),
".json"
)
);
}
return super.uri(tokenId);
}
function tokenIdToString(
uint256 tokenId
) internal pure returns (string memory) {
bytes memory alphabet = "0123456789abcdef";
bytes memory str = new bytes(64);
for (uint256 i = 0; i < 32; i++) {
str[63 - i * 2] = alphabet[tokenId & 0xf];
str[62 - i * 2] = alphabet[(tokenId >> 4) & 0xf];
tokenId >>= 8;
}
return string(str);
}
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.