Test parameter value of "https://todo/" is used for baseURI and should not be carried over to production. The use of “todo” indicates that developer intends to change this at a later time which should not be missed.
This will fail or not resolve correctly when someone tries to look up the NFT URI.
Handle
0xRajeev
Vulnerability details
Impact
Test parameter value of "https://todo/" is used for baseURI and should not be carried over to production. The use of “todo” indicates that developer intends to change this at a later time which should not be missed.
This will fail or not resolve correctly when someone tries to look up the NFT URI.
Proof of Concept
https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L517-L519
Tools Used
Manual Analysis
Recommended Mitigation Steps
Change to correct URI by using the correct base domain which hosts the NFT metadata.