search

hats-finance / Circles-0x6ca9ca24d78af44582951825bef9eadcb210e5cf

Circles Protocol contracts
https://aboutcircles.com
GNU Affero General Public License v3.0
0 stars 0 forks source link

metadata remains unchecked #17

Open hats-bug-reporter[bot] opened 2 months ago

hats-bug-reporter[bot] commented 2 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x49d65c7b7540d979ae4e8f41c2f6a612ce0bd583ce027661ca848edd2f218e17 Severity: low

Description: Whenever a user calls registerHuman he is able to specify _metadataDigest, as the function comments state:

// param _metadataDigest (optional) sha256 metadata digest for the avatar          metadata should follow ERC1155 metadata standard.

However when used, the function does not perform a check to make sure that the _metadataDigest follows the ERC1155 standard.

This issue has previously been mentioned in this report:

And as per the EIP-1155 it states that the metadata MUST comply to certain bullet points.

As it stands now, registering a human with a metadata that is non-ERC1155 standard remains possible.

Recommendation

introduce some logic that prevents this

benjaminbollen commented 2 months ago

Thank you for your report regarding the unchecked metadata. After review, we've determined that this is not an issue. The metadata you're referring to is intentionally stored off-chain. As such, the smart contracts cannot and are not designed to verify the content of this metadata. The responsibility for ensuring the validity and appropriateness of this content lies with the off-chain systems and users interacting with it. We appreciate your attention to potential vulnerabilities in our system. Your report helps us ensure that our design choices and their implications are clearly understood. Thank you for contributing to the security and transparency of our platform.