Submission Details
Impact:
Likelihood:
Empty Token URI in Minted Rappers
Author Revealed upon completion
Root + Impact
Description
-
Minted NFTs should have a valid URI for metadata.
-
The specific issue is creating tokens with empty URI, leading to incomplete NFT display.
// In one_shot.move
let tok_ref = token::create(
// ...
//@> string::utf8(b""), // Empty URI
);
Risk
Likelihood:
High
-
A Rapper is minted.
-
Token has no URI.
Impact: Low
-
Poor usability in wallets/explorers.
-
Missing metadata visibility.
Proof of Concept
Mint Rapper: check token URI in explorer: empty.
#[test(module_owner = @battle_addr, recipient = @0x123)]
fun test_empty_token_uri(module_owner: &signer, recipient: &signer) acquires battle_addr::one_shot::Collection, battle_addr::one_shot::RapperStats {
// Setup
battle_addr::one_shot::init_module(module_owner);
// Mint rapper
battle_addr::one_shot::mint_rapper(module_owner, signer::address_of(recipient));
let token_id = /* assume */;
let token = /* fetch Object<Token> */;
let uri = aptos_token_v2::token::uri(token);
// Demonstrate: URI is empty
assert!(uri == string::utf8(b""), 0);
}
Recommended Mitigation
- string::utf8(b"")
+ string::utf8(b"https://aptos-rap-battle.dev/rappers/{token_id}") // Add dynamic or base URI
Rewards breakdown
nSLOC
436This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.