Root + Impact

Description

• tokenURI() constructs JSON metadata for NFTs, but the rarity value in the attributes array is not properly quoted:

• This produces: "value": common instead of the valid JSON "value": "common".

• Per RFC 8259, string values in JSON must be enclosed in double quotes. The output is invalid JSON and will break:

  • NFT marketplace displays (OpenSea, Rarible, LooksRare)

  • Any JSON parser consuming the tokenURI response

  • Metadata indexers and aggregators

Risk

Likelihood:

• Every minted NFT has broken metadata — 100% occurrence rate

Impact:

• Low — no fund loss, but NFT display is broken across all marketplaces

• NFTs may appear without attributes or fail to render entirely on marketplaces

Proof of Concept

How the issue manifests:

1. A raffle completes and selectWinner() mints an NFT to the winner via _safeMint()

2. When any marketplace or application calls tokenURI(tokenId), it receives a base64-encoded JSON string

3. After decoding, the JSON contains "value": common (unquoted string) which is invalid per RFC 8259

4. Standard JSON parsers (JSON.parse(), Python json.loads()) throw a parse error, and the NFT metadata fails to display

Vulnerable code (src/PuppyRaffle.sol:196-214):

Expected outcome: Every minted NFT produces invalid JSON metadata, causing display failures across all NFT marketplaces and metadata indexers.

Recommended Mitigation

The root cause is that rareName (a string) is concatenated into the JSON without wrapping it in double quotes. Per RFC 8259, JSON string values must be enclosed in "...". The fix is straightforward: add quote delimiters around the interpolated value.

Primary fix — Quote the rarity value:

Complete corrected tokenURI metadata block:

Why this works: The added " characters before and after rareName ensure the output conforms to the JSON specification. All standard JSON parsers (JSON.parse() in JavaScript, json.loads() in Python) and NFT marketplace indexers (OpenSea, Rarible) will correctly parse the metadata.

Verification: After the fix, the decoded JSON for a common rarity NFT should be:

Additional consideration: If rareName could ever contain characters that need JSON escaping (e.g., ", \, newlines), a proper JSON encoding library should be used. For the current codebase where rareName is one of four hardcoded strings ("common", "rare", "legendary", "ultra rare"), simple string concatenation with quotes is sufficient.