Submission Details
Impact:
Likelihood:
[L-4] Token id encoding vulnerability in `FestivalPass::encodeTokenId` function
Description
The function encodeTokenId is defined as:
```javascript
function encodeTokenId(uint256 collectionId, uint256 itemId) public pure returns (uint256) {
return (collectionId << COLLECTION_ID_SHIFT) + itemId;
}
```
While:
`uint256 constant COLLECTION_ID_SHIFT = 128;`
This encodes a single uint256 token ID by left-shifting the collectionId 128 bits, and adding the itemId.
-> While this is a common technique, there are no input constraints on collectionId or itemId, meaning:
- A malicious or incorrect value for collectionId or itemId could overflow or overlap with another token's ID.
- If itemId >= 2^128, it could spill into the collectionId bits.
- If collectionId >= 2^128, it could exceed the 256-bit boundary and wrap silently in arithmetic.
- Also, collectionId = 0 and itemId = 0 yields tokenId = 0, which might conflict with internal reserved IDs or logic.
Risk
Impact:
Token ID collision, invalid metadata decoding, or broken decodeTokenId behavior
Proof of Concept
```javascript
// Legitimate collectionId, but itemId too large
encodeTokenId(42, 2 ** 129); // itemId spills into high bits
```
Recommended Mitigation
```diff
function encodeTokenId(uint256 collectionId, uint256 itemId) public pure returns (uint256) {
+ require(collectionId < (1 << COLLECTION_ID_SHIFT), "Collection ID overflow");
+ require(itemId <= type(uint128).max, "Item ID overflow");
return (collectionId << COLLECTION_ID_SHIFT) + itemId;
}
```
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.