Skip to content

updatePurchaseIds can overwrite purchaseIdentifiers#

Low Risk

Buyers can set a purchase ID for each token when they buy it. But these identifiers can be overwritten by canvas admin. In Customize.sol there is updatePurchaseIds function that receives an array of token IDs and purchase IDs. These purchase IDs then get assigned to tokens given in the token IDs array. This allows the canvas admin to change purchase IDs that were previously set by buyers. This could break some external functionality that would be dependent on purchase IDs. Especially because there is no event emitted that would signal a change. Furthermore, there is no validation, that given token IDs actually exist.

Similar problem exists in updateChipIds function. But we assume that this function is part of PBT protocol, which is not implemented yet, and therefore its functionality is not complete. It is important to notice that in this function there is no check that each chip belongs to exactly one address and vice versa.

Recommendation#

You can add an event to signal a change in purchase IDs and validate that given token IDs exist.