The `tokenURI` function doesn't verify if a token ID is valid before returning its metadata. This means it could return data for a fake or non existent NFT. #15
Anyone can exploit the tokenURI function with a fake tokenID. The function doesn't check if the tokenId is real and returns data that makes it look like a real factory NFT. The returned data can be used to deceive potential users (especially in integrations and on the marketplace), as the function will return data for a non-existent NFT id that appears to be a genuine factory NFT. This will lead to a poor user experience or financial loss for users.
The tokenURI methods lack any requirements stating that the provided NFT id must be created. We can also see that in the standard implementation by OpenZeppelin, this check is present.
An attacker can simply create a basic NFT, preferably impersonating a Factory NFT;
He deploys the contract and offers it on marketplace for sale;
Unsuspecting users query the tokenURI of the NFT;
The function works normally as it doesn't check if its a real one;
Users get decieved into thinking the NFT is a real one, which can lead to potential loss of funds.
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/base/FactoryNFT.sol#L40
Vulnerability details
Impact
Anyone can exploit the
tokenURI
function with a fake tokenID. The function doesn't check if the tokenId is real and returns data that makes it look like a real factory NFT. The returned data can be used to deceive potential users (especially in integrations and on the marketplace), as the function will return data for a non-existent NFT id that appears to be a genuine factory NFT. This will lead to a poor user experience or financial loss for users.This also violates the ERC721 standard.
Proof of Concept
The
tokenURI
methods lack any requirements stating that the provided NFT id must be created. We can also see that in the standard implementation by OpenZeppelin, this check is present.And as for the EIP compliance
An attacker can simply create a basic NFT, preferably impersonating a Factory NFT; He deploys the contract and offers it on marketplace for sale; Unsuspecting users query the tokenURI of the NFT; The function works normally as it doesn't check if its a real one; Users get decieved into thinking the NFT is a real one, which can lead to potential loss of funds.
Tools Used
Manual code review
Recommended Mitigation Steps
Consider checking that the NFT exists.
Assessed type
ERC721