[L-01] `tokenURI()` custom error is unreachable because `ownerOf()` reverts first
Description
tokenURI() checks ownerOf(tokenId) == address(0) to detect non-existent tokens, but OpenZeppelin's ownerOf() reverts with ERC721NonexistentToken before it can return address(0). The custom error is dead code.
Vulnerability Details
OpenZeppelin's ERC721 ownerOf() implementation reverts with ERC721NonexistentToken(tokenId) for non-existent tokens — it never returns address(0). The comparison ownerOf(tokenId) == address(0) can never be true because ownerOf() always either returns a nonzero owner or reverts. The custom error ERC721Metadata__URI_QueryFor_NonExistentToken is dead code that can never execute.
Risk
Likelihood:
Every call to
tokenURI()with a non-existent tokenId hits this. The custom error path is unreachable in all cases.
Impact:
Off-chain systems or frontends catching
ERC721Metadata__URI_QueryFor_NonExistentTokenwill never see it. They receiveERC721NonexistentTokeninstead, potentially breaking error handling logic that depends on the custom error.
PoC
The test calls tokenURI() with a non-existent tokenId and shows that OpenZeppelin's ERC721NonexistentToken is the actual revert error, not the protocol's custom error. Any frontend listening for the custom error will never catch it.
Recommendations
Use _ownerOf() instead of ownerOf(). The internal _ownerOf() returns address(0) for non-existent tokens without reverting, so the conditional check works as intended and the custom error actually fires.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.