search

code-423n4 / 2023-09-delegate-findings

2 stars 1 forks source link

Incorrect delegate token URI in MarketMetadata.sol. #265

Closed c4-submissions closed 11 months ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-delegate/blob/main/src/MarketMetadata.sol#L45

Vulnerability details

Impact

Web3 logic may be error prone by the wrong delegate token URL.

Proof of Concept

In DelegateToken.tokenURL(), MarketMetadata.delegateTokenURI() is called. MarketMetadata.delegateTokenURI() is as follows.

File: MarketMetadata.sol
37:     function delegateTokenURI(address tokenContract, uint256 delegateTokenId, uint256 expiry, address principalOwner) external view returns (string memory) {
38:         string memory idstr = Strings.toString(delegateTokenId);
39: 
40:         string memory pownerstr = principalOwner == address(0) ? "N/A" : Strings.toHexString(principalOwner);
41:         //slither-disable-next-line timestamp
42:         string memory status = principalOwner == address(0) || expiry <= block.timestamp ? "Expired" : "Active";
43: 
44:         string memory firstPartOfMetadataString = string.concat(
45:             '{"name":"Delegate Token #"',
46:             idstr,
47:             '","description":"DelegateMarket lets you escrow your token for a chosen timeperiod and receive a token representing the associated delegation rights. This collection represents the tokenized delegation rights.","attributes":[{"trait_type":"Collection Address","value":"',
48:             Strings.toHexString(tokenContract),
49:             '"},{"trait_type":"Token ID","value":"',
50:             idstr,
51:             '"},{"trait_type":"Expires At","display_type":"date","value":',
52:             Strings.toString(expiry)
53:         );
54:         string memory secondPartOfMetadataString = string.concat(
55:             '},{"trait_type":"Principal Owner Address","value":"',
56:             pownerstr,
57:             '"},{"trait_type":"Delegate Status","value":"',
58:             status,
59:             '"}]',
60:             ',"image":"',
61:             delegateTokenBaseURI,
62:             "rights/",
63:             idstr,
64:             '"}'
65:         );
66:         // Build via two substrings to avoid stack-too-deep
67:         string memory metadataString = string.concat(firstPartOfMetadataString, secondPartOfMetadataString);
68: 
69:         return string.concat("data:application/json;base64,", Base64.encode(bytes(metadataString)));
70:     }

In L45, the last " character is wrong and this error leads the meta data string to invalid JSON format.

Tools Used

Manual Review

Recommended Mitigation Steps

MarketMetadata.delegateTokenURI() should be modified as follows.

File: MarketMetadata.sol
37:     function delegateTokenURI(address tokenContract, uint256 delegateTokenId, uint256 expiry, address principalOwner) external view returns (string memory) {
38:         string memory idstr = Strings.toString(delegateTokenId);
...
44:         string memory firstPartOfMetadataString = string.concat(
45: -            '{"name":"Delegate Token #"',
45: +            '{"name":"Delegate Token #',
46:             idstr,
...
69:         return string.concat("data:application/json;base64,", Base64.encode(bytes(metadataString)));
70:     }

Assessed type

Error

0xfoobar commented 12 months ago

MarketMetadata.sol is not in scope

c4-sponsor commented 12 months ago

0xfoobar (sponsor) disputed

c4-judge commented 11 months ago

GalloDaSballo marked the issue as unsatisfactory: Out of scope