search

code-423n4 / 2023-04-caviar-findings

9 stars 4 forks source link

The `tokenURI` method does not check if the NFT has been minted and returns data for the contract that may be a fake NFT. #44

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/Factory.sol#L161 https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePoolMetadata.sol#L17

Vulnerability details

Impact

Proof of Concept

Example

  1. User creates a fake contract A simple example so that the tokenURI method does not revert:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

contract NFT {
    function balanceOf(address) external pure returns (uint256) {
        1;
    }
}

contract NonNFT {
    address public immutable nft;

    address public constant baseToken = address(0);
    uint256 public constant virtualBaseTokenReserves = 1 ether;
    uint256 public constant virtualNftReserves = 1 ether;
    uint256 public constant feeRate = 500;

    constructor() {
        nft = address(new NFT());
    }
}
  1. User deploy the contract
  2. Now, by using tokenURI() for the deployed user's address, one can fetch information about a non-existent NFT.

Tools Used

Recommended Mitigation Steps

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as primary issue

outdoteth commented 1 year ago

not sure if this should be medium or not

c4-sponsor commented 1 year ago

outdoteth requested judge review

c4-sponsor commented 1 year ago

outdoteth marked the issue as sponsor confirmed

GalloDaSballo commented 1 year ago

https://eips.ethereum.org/EIPS/eip-721#:~:text=function%20tokenURI(uint256%20_tokenId)%20external%20view%20returns%20(string)%3B

GalloDaSballo commented 1 year ago

Because the functionality breaks the EIP721 spec, I agree with Medium Severity, no funds are at risk

c4-judge commented 1 year ago

GalloDaSballo marked the issue as selected for report