search

code-423n4 / 2022-02-skale-findings

0 stars 0 forks source link

NFT owner can change tokenURI #26

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/tokens/ERC721OnChain.sol#L73

Vulnerability details

Impact

In the ERC721OnChain implementation the token owner can set the token's URI using setTokenURI. Usually, this is token URI points to data defining the NFT (attributes, images, etc.). It's usually set by the contract owner. A user that owns an NFT can just spoof any other NFT data by changing the token URI to any of the other NFTs.

Recommended Mitigation Steps

Disallow the owner of an NFT to change its token URI

DimaStebaev commented 2 years ago

ERC721OnChain is a default implementation. If the token is sensitive to URI change SKALE chain owner can use another one. Not all ERC721 require that URI can't be changed.

GalloDaSballo commented 2 years ago

Because the argument for this being a setting can be made I am excluding a high severity.

However the code was brought into scope, the implementation under scrutiny does allow the owner to change the URI which is a known admin privilege.

For those reasons I believe the finding to be valid and of medium severity