Closed c4-submissions closed 11 months ago
https://github.com/code-423n4/2023-09-delegate/blob/main/src/MarketMetadata.sol#L45
Web3 logic may be error prone by the wrong delegate token URL.
In DelegateToken.tokenURL(), MarketMetadata.delegateTokenURI() is called. MarketMetadata.delegateTokenURI() is as follows.
DelegateToken.tokenURL()
MarketMetadata.delegateTokenURI()
File: MarketMetadata.sol 37: function delegateTokenURI(address tokenContract, uint256 delegateTokenId, uint256 expiry, address principalOwner) external view returns (string memory) { 38: string memory idstr = Strings.toString(delegateTokenId); 39: 40: string memory pownerstr = principalOwner == address(0) ? "N/A" : Strings.toHexString(principalOwner); 41: //slither-disable-next-line timestamp 42: string memory status = principalOwner == address(0) || expiry <= block.timestamp ? "Expired" : "Active"; 43: 44: string memory firstPartOfMetadataString = string.concat( 45: '{"name":"Delegate Token #"', 46: idstr, 47: '","description":"DelegateMarket lets you escrow your token for a chosen timeperiod and receive a token representing the associated delegation rights. This collection represents the tokenized delegation rights.","attributes":[{"trait_type":"Collection Address","value":"', 48: Strings.toHexString(tokenContract), 49: '"},{"trait_type":"Token ID","value":"', 50: idstr, 51: '"},{"trait_type":"Expires At","display_type":"date","value":', 52: Strings.toString(expiry) 53: ); 54: string memory secondPartOfMetadataString = string.concat( 55: '},{"trait_type":"Principal Owner Address","value":"', 56: pownerstr, 57: '"},{"trait_type":"Delegate Status","value":"', 58: status, 59: '"}]', 60: ',"image":"', 61: delegateTokenBaseURI, 62: "rights/", 63: idstr, 64: '"}' 65: ); 66: // Build via two substrings to avoid stack-too-deep 67: string memory metadataString = string.concat(firstPartOfMetadataString, secondPartOfMetadataString); 68: 69: return string.concat("data:application/json;base64,", Base64.encode(bytes(metadataString))); 70: }
In L45, the last " character is wrong and this error leads the meta data string to invalid JSON format.
Manual Review
MarketMetadata.delegateTokenURI() should be modified as follows.
File: MarketMetadata.sol 37: function delegateTokenURI(address tokenContract, uint256 delegateTokenId, uint256 expiry, address principalOwner) external view returns (string memory) { 38: string memory idstr = Strings.toString(delegateTokenId); ... 44: string memory firstPartOfMetadataString = string.concat( 45: - '{"name":"Delegate Token #"', 45: + '{"name":"Delegate Token #', 46: idstr, ... 69: return string.concat("data:application/json;base64,", Base64.encode(bytes(metadataString))); 70: }
Error
MarketMetadata.sol is not in scope
0xfoobar (sponsor) disputed
GalloDaSballo marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/main/src/MarketMetadata.sol#L45
Vulnerability details
Impact
Web3 logic may be error prone by the wrong delegate token URL.
Proof of Concept
In
DelegateToken.tokenURL()
,MarketMetadata.delegateTokenURI()
is called.MarketMetadata.delegateTokenURI()
is as follows.In L45, the last " character is wrong and this error leads the meta data string to invalid JSON format.
Tools Used
Manual Review
Recommended Mitigation Steps
MarketMetadata.delegateTokenURI()
should be modified as follows.Assessed type
Error