search

code-423n4 / 2024-06-panoptic-findings

1 stars 0 forks source link

The `tokenURI` function doesn't verify if a token ID is valid before returning its metadata. This means it could return data for a fake or non existent NFT. #15

Closed howlbot-integration[bot] closed 1 month ago

howlbot-integration[bot] commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L40

Vulnerability details

Impact

Anyone can exploit the tokenURI function with a fake tokenID. The function doesn't check if the tokenId is real and returns data that makes it look like a real factory NFT. The returned data can be used to deceive potential users (especially in integrations and on the marketplace), as the function will return data for a non-existent NFT id that appears to be a genuine factory NFT. This will lead to a poor user experience or financial loss for users.

This also violates the ERC721 standard.

Proof of Concept

The tokenURI methods lack any requirements stating that the provided NFT id must be created. We can also see that in the standard implementation by OpenZeppelin, this check is present.

    function tokenURI(uint256 tokenId) public view override returns (string memory) {
        address panopticPool = address(uint160(tokenId));

        return
            constructMetadata(
                panopticPool,
                PanopticMath.safeERC20Symbol(PanopticPool(panopticPool).univ3pool().token0()),
                PanopticMath.safeERC20Symbol(PanopticPool(panopticPool).univ3pool().token1()),
                PanopticPool(panopticPool).univ3pool().fee()
            );
    }

And as for the EIP compliance

Throws if _tokenId is not a valid NFT

An attacker can simply create a basic NFT, preferably impersonating a Factory NFT; He deploys the contract and offers it on marketplace for sale; Unsuspecting users query the tokenURI of the NFT; The function works normally as it doesn't check if its a real one; Users get decieved into thinking the NFT is a real one, which can lead to potential loss of funds.

Tools Used

Manual code review

Recommended Mitigation Steps

Consider checking that the NFT exists.

Assessed type

ERC721

Picodes commented 1 month ago

Out of scope with the scoping Q&A

c4-judge commented 1 month ago

Picodes marked the issue as unsatisfactory: Out of scope