0xrobsol - Incomplete Handling of Metadata URIs in getMetadataURI Function

[sherlock-admin4]

0xrobsol

medium

Incomplete Handling of Metadata URIs in getMetadataURI Function

Summary

The getMetadataURI function within the smart contract inadequately handles metadata URIs, potentially leading to the failure to retrieve valid metadata when the URI is not empty.

Vulnerability Detail

The function currently checks if the retrieved metadata URI from the mapping is empty (""). If it is empty, it attempts to retrieve metadata from a deprecated bytes32 URI. However, if the metadata URI is not empty, the function does not provide any metadata, returning an empty string.

Impact

Failure to appropriately handle non-empty metadata URIs may lead to the following issues:

• Inaccurate Metadata Retrieval: Valid metadata associated with a bid ID may not be returned by the function, leading to incomplete information retrieval.
• Functional Limitation: Users relying on the getMetadataURI function may experience unexpected behavior or difficulties in accessing metadata for bids with non-empty URIs.

Code Snippet

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/TellerV2.sol#L265

Tool used

Manual Review

Recommendation

Revise the getMetadataURI function to return non-empty metadata URIs retrieved from the mapping.

[nevillehuang]

Invalid based on sherlock rules. getMetadataURI() is a view function not used anywhere else in the protocol.

16. Incorrect values in View functions are by default considered low.