Platform: Code4rena
Start Date: 18/10/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 67
Period: 5 days
Judge: Picodes
Total Solo HM: 7
Id: 172
League: ETH
Rank: 18/67
Findings: 1
Award: $342.00
π Selected for report: 0
π Solo Findings: 0
π Selected for report: berndartmueller
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, Aymen0909, BClabs, Diana, Jeiwan, Lambda, LeoS, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, SaharAP, Trust, V_B, __141345__, a12jmx, bharg4v, brgltd, carlitox477, ch0bu, chaduke, cloudjunky, cryptostellar5, cryptphi, csanuragjain, d3e4, delfin454000, erictee, fatherOfBlocks, hansfriese, ignacio, joestakey, karanctf, ladboy233, lukris02, mcwildy, minhtrng, peanuts, ret2basic, seyni, slowmoses, svskaushik, tnevler, yixxas
341.9967 USDC - $342.00
JBTiered721Delegate inherits from JB721Delegate, which inherits from ERC721
It implements JBTiered721Delegate.tokenURI(), a function overriding ERC721's tokenURI().
This function returns the metadata URI of the provided token ID.
The issue is that if queried for a token that does not have an owner or has not been minted, it returns the empty string ''.
This breaks compliance with EIP721, ERC721Metadata.which states that tokenURI():
Throws if `_tokenId` is not a valid NFT
It opens a risk for contracts that would interact with JBTiered721Delegate and query tokenId() - for instance to check contributors of a project, if a function performs some logic based on the tokenURI of a tokenId and expects the call to revert if queried for an unminted token.
Manual Analysis
Have the function JBTiered721Delegate.tokenURI() revert if queried for a tokenId that has not been minted yet.
+ _requireMinted(tokenId); -140: if (_owners[_tokenId] == address(0)) return '';
#0 - c4-judge
2022-11-08T15:10:45Z
Picodes changed the severity to QA (Quality Assurance)
#1 - c4-judge
2022-11-08T15:10:51Z
Picodes marked the issue as grade-a