NFT Dealers
First Flight #58
Beginner FriendlyFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: high

L04. `metadataFrozen` state variable is declared but never read or written

Author Revealed upon completion

Root + Impact

Description

  • The contract declares bool public metadataFrozen, implying that at some point the collection's metadata (URI) can be locked to prevent post-reveal changes.

  • Neither a setter nor any consumer of metadataFrozen is implemented. The variable is always its zero default (false), collectionImage is not guarded by any freeze check, and there is no way to activate the freeze.

// @> declared but never written or checked anywhere in the contract
bool public metadataFrozen;
string private collectionImage;
// @> _baseURI() returns collectionImage with no frozen check
function _baseURI() internal view override returns (string memory) {
return collectionImage;
}

Risk

Likelihood: High

  • The variable is always false. No mechanism can change it.

Impact: Low

  • No funds are at risk. The contract state is internally consistent; the variable has no effect.

  • NFT buyers may expect metadata to be frozen after reveal (a common guarantee in NFT projects), but this expectation cannot be met by the current contract.

Recommended Mitigation

Either implement the freeze mechanism or remove the dead variable.

To implement:

+ function freezeMetadata() external onlyOwner {
+ metadataFrozen = true;
+ }
function _baseURI() internal view override returns (string memory) {
+ require(!metadataFrozen, "Metadata is frozen");
return collectionImage;
}

To remove:

- bool public metadataFrozen;

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!