Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReceiptRenderer SVG code is incorrect and makes text illegible #127

Open
code423n4 opened this issue Jan 27, 2023 · 5 comments
Open

ReceiptRenderer SVG code is incorrect and makes text illegible #127

code423n4 opened this issue Jan 27, 2023 · 5 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b Q-80 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/ReceiptRenderer.sol#L100-L114

Vulnerability details

In ReceiptRenderer.sol the generated SVG in generateSVG has both texts (RabbitHole Quest # and RabbitHole Quest Receipt #) rendered on top of each other, making the text completely illegible.

Impact

SVG rendering of receipts will be illegible for users.

Proof of Concept

Put the SVG code in a renderer: you will see that both texts are on top of each other.
The SVG looks like this (using questId_ = 1, and tokenId_ = 1):

Wrong SVG rendering

Tools Used

SVG Viewer

Recommended Mitigation Steps

Use the SVG tag tspan for each row of text. Correct code:

/// @dev generates the on-chain SVG for an ERC-721 token ID
/// @param tokenId_ The token id to generate the svg for
/// @param questId_ The questId tied to the tokenId
/// @return encoded JSON for an SVG image
function generateSVG(uint tokenId_, string memory questId_) public pure returns (string memory) {
    bytes memory svg = abi.encodePacked(
        '<svg xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinYMin meet" viewBox="0 0 350 350">',
        '<style>.base { fill: white; font-family: serif; font-size: 14px; }</style>',
        '<rect width="100%" height="100%" fill="black" />',
        '<text y="40%">',
        '<tspan x="50%" dy=".6em" class="base" text-anchor="middle">RabbitHole Quest #',
        questId_,
        '</tspan>',
        '<tspan x="50%" dy="1.2em" class="base" text-anchor="middle">RabbitHole Quest Receipt #',
        tokenId_,
        '</tspan>',
        '</text>',
        '</svg>'
    );
    return string(abi.encodePacked('data:image/svg+xml;base64,', Base64.encode(svg)));
}

Result:
Correct SVG
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 27, 2023
code423n4 added a commit that referenced this issue Jan 27, 2023
@code423n4
DadeKuma issue #127
ff6c0ed
@c4-sponsor
Copy link

waynehoover marked the issue as disagree with severity

@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Feb 7, 2023
@waynehoover
Copy link

Just text display of an NFT, this rendering detail has and will change on final deployment.

@waynehoover waynehoover mentioned this issue Feb 7, 2023
Closed
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Feb 16, 2023
@c4-judge
Copy link
Contributor

kirk-baird changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added the QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax label Feb 16, 2023
@kirk-baird
Copy link

This would not result in a direct loss of funds and is a valid QA issue.

@c4-judge
Copy link
Contributor

kirk-baird marked the issue as grade-b

@C4-Staff C4-Staff added the Q-80 label Feb 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue grade-b Q-80 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@waynehoover @kirk-baird @code423n4 @c4-judge @c4-sponsor @C4-Staff