Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of validation for the tokenUri parameter [code-improvement] #20

Closed
0xM3R opened this issue Dec 16, 2024 · 0 comments · Fixed by #29 or #6
Closed

Lack of validation for the tokenUri parameter [code-improvement] #20

0xM3R opened this issue Dec 16, 2024 · 0 comments · Fixed by #29 or #6
Assignees
@fadeev
Labels
Security

Comments

@0xM3R
Copy link

0xM3R commented Dec 16, 2024

File: mint.ts
Issue: Lack of validation for the tokenUri parameter.

Analysis

The vulnerable implementation is as follows:

const tx = await contract.safeMint(recipient, args.tokenUri);
  • Unvalidated Input: The tokenUri is used without checking its validity or format.

How It Can Be Harmful

  • Malicious Metadata: Invalid or malicious URIs can compromise metadata storage or lead to security vulnerabilities.

How to Mitigate the Issue

1. Validate URIs: Ensure the tokenUri follows a proper format before minting.

if (!args.tokenUri.startsWith("https://")) {
    throw new Error("Invalid token URI format. Must start with 'https://'.");
}

2. Sanitize Inputs: Implement input sanitization to prevent injection of malicious data.

References

  • Improper Input Validation in Smart Contracts
    Discusses the importance of input validation to prevent vulnerabilities.
    Metana Blog
  • CVE-2024-32649
    Highlights vulnerabilities due to improper input validation in smart contracts.
    CVE Details
@0xM3R 0xM3R added the Security label Dec 16, 2024
@0xM3R 0xM3R transferred this issue from another repository Dec 17, 2024
@0xM3R 0xM3R transferred this issue from zeta-chain/smart-contract-vulns Dec 17, 2024
This was linked to pull requests Dec 18, 2024
fix: validate token URI #29
Merged
feat: NFT and FT upgradeable using OpenZeppelin's UUPS #6
Merged
@fadeev fadeev closed this as completed in #6 Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fadeev fadeev

Labels
Security
Projects
None yet
Milestone
No milestone
2 participants
@fadeev @0xM3R