Santa's List

AI First Flight #3

Beginner FriendlyFoundry

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Every SANTA NFT returns the same hardcoded tokenURI regardless of tokenId, so all presents are visually identical

sub99

tokenURI returns the same hardcoded URI for every token, so all SANTA NFTs are identical regardless of id

Description

tokenURI ignores its tokenId argument and returns the single hardcoded TOKEN_URI constant inherited from TokenUri.sol, so every minted NFT resolves to the same metadata and artwork.

// SantasList.sol:187

function tokenURI(uint256 /* tokenId */ ) public pure override returns (string memory) {

return TOKEN_URI; // @> same URI for every tokenId; argument ignored

}

Risk

Likelihood: Low

This is deterministic behavior for all tokens. Whether it is a defect depends on whether per-token art was intended; functionally the collection is uniform by design of this code.

Impact: Low

All SANTA NFTs are visually and metadata-identical, so the tokens are not individually distinguishable on marketplaces. There is no impact on funds, ownership, or contract logic; the concern is purely cosmetic/UX.

Proof of Concept

Two different token ids return byte-identical URIs.

function test_allTokensShareSameUri() public {

assertEq(

keccak256(bytes(santasList.tokenURI(0))),

keccak256(bytes(santasList.tokenURI(1)))

);

}

Recommended Mitigation

If per-token art is desired, derive the URI from tokenId; otherwise document the uniformity as intentional.

- function tokenURI(uint256 /* tokenId */ ) public pure override returns (string memory) {

- return TOKEN_URI;

+ function tokenURI(uint256 tokenId) public view override returns (string memory) {

+ return string.concat(BASE_URI, Strings.toString(tokenId), ".json");

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!