0xrobsol - Incomplete Handling of Metadata URIs in getMetadataURI Function
Closed this issue · 1 comments
0xrobsol
medium
Incomplete Handling of Metadata URIs in getMetadataURI Function
Summary
The getMetadataURI function within the smart contract inadequately handles metadata URIs, potentially leading to the failure to retrieve valid metadata when the URI is not empty.
Vulnerability Detail
The function currently checks if the retrieved metadata URI from the mapping is empty (""). If it is empty, it attempts to retrieve metadata from a deprecated bytes32 URI. However, if the metadata URI is not empty, the function does not provide any metadata, returning an empty string.
Impact
Failure to appropriately handle non-empty metadata URIs may lead to the following issues:
- Inaccurate Metadata Retrieval: Valid metadata associated with a bid ID may not be returned by the function, leading to incomplete information retrieval.
- Functional Limitation: Users relying on the getMetadataURI function may experience unexpected behavior or difficulties in accessing metadata for bids with non-empty URIs.
Code Snippet
Tool used
Manual Review
Recommendation
Revise the getMetadataURI function to return non-empty metadata URIs retrieved from the mapping.
Invalid based on sherlock rules. getMetadataURI() is a view function not used anywhere else in the protocol.
- Incorrect values in View functions are by default considered low.