F-2025-0005·spec-deviation

Missing token existence validation in tokenURI leads to EIP-721 standard violation and marketplace integration issues

Fixednfterc721erc20
TL;DR

tokenURI does not validate that the queried tokenId exists, returning default metadata instead of reverting as required by the EIP-721 standard, which can cause marketplace and wallet integration issues.

Severity
MEDIUM
Impact
MEDIUM
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
LOW
Exploitability
MEDIUM
02Section · Description

Description

The tokenURI function in both KnowledgeMarket.sol and KnowledgeMarketV2.sol does not validate that the requested tokenId exists before returning metadata, violating the EIP-721 standard. The function directly accesses storage mappings without checking token existence, causing it to return metadata with default/empty values for non-existent tokens instead of reverting as required by the standard.

solidity
function tokenURI(uint256 id) public view override returns (string memory) {
    Metadata memory data = nftData[id];   // No existence check
    Deal memory deal = dealInfo[id];
    Settings memory set = accessControl[data.hash];
    // ... returns metadata for non-existent tokens
}

EIP-721 Standard Requirement: The EIP-721 specification explicitly states that tokenURI should "Throws if _tokenId is not a valid NFT."

Vulnerable Scenario:

The following steps help reproduce the issue:

  1. An external application or user calls tokenURI(999999) for a token ID that was never minted.
  2. The function accesses nftData[999999] which returns a default empty struct instead of reverting.
  3. The function constructs and returns JSON metadata using these default values.
  4. The caller receives seemingly valid metadata for a non-existent token, creating a "ghost token" effect.
  5. NFT marketplaces and integrations may display this non-existent token as if it were real.
03Section · Impact

Impact

Direct violation of the EIP-721 standard leading to integration issues with NFT marketplaces and wallets. Applications may display non-existent tokens with default metadata, causing confusion for users and potentially breaking marketplace functionality that relies on standard-compliant behavior.

04Section · Recommendation

Recommendation

Add token existence validation at the beginning of the tokenURI function in both contracts:

solidity
require(_ownerOf(_tokenId) != address(0), "ERC721: invalid token ID");

Or use the OpenZeppelin _requireOwned(id) helper if available.

05Section · Resolution

Resolution

Ipal Network: Confirmed. We agreed with the recommendation and have implemented a token existence check at the beginning of the tokenURI function.

Zealynx: Fixed. Added token existence validation with _requireOwned(id) at the beginning of the tokenURI function, ensuring EIP-721 compliance and proper error handling for non-existent tokens.

Status
Fixed
ZEALYNX SECURITY · published 2025-07-31
F-2025-0005

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx