Snowman.tokenURI contains a dead-code zero-address check that is unreachable because OZ ERC721 ownerOf reverts first
Description
Snowman.tokenURI attempts to handle queries for nonexistent token IDs by checking if (ownerOf(tokenId) == address(0)). However, OpenZeppelin's ERC721.ownerOf already reverts internally before the comparison is reached — in OZ v4.x with "ERC721: invalid token ID" and in OZ v5.x with ERC721NonexistentToken. The custom error ERC721Metadata__URI_QueryFor_NonExistentToken declared in this contract can therefore never be emitted.
Callers receive OpenZeppelin's standard revert instead of the contract's documented custom error, breaking any external integration that catches ERC721Metadata__URI_QueryFor_NonExistentToken to detect nonexistent-token queries.
Risk
Code-quality issue. External integrations or frontends that specifically catch ERC721Metadata__URI_QueryFor_NonExistentToken will not receive it — they will get an unexpected OZ revert instead. This breaks error handling for any caller relying on the documented error selector.
Proof of Concept
Result: [PASS] — OZ reverts before the custom error check is reached.
Recommended Mitigation
Replace the public ownerOf call with the internal _ownerOf, which returns address(0) for nonexistent tokens instead of reverting:
_ownerOf is the internal getter that returns address(0) for nonexistent tokens without reverting, allowing the custom error to actually be thrown.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.