You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Setting the base URI in the constructor allows the hackers to find the location of the unrevealed metadata. They can call baseURI() or look for the deployment transaction. This lets them find which are the rarest tokens and are also able to steal the artwork.
This PR changes the behavior to set the base at the reveal moment. It changes the reveal() method to take the base URI as a parameter and only allows calling setBaseURI() when revealed is true.
It also moves the check for token existence in tokenURI() to make it somewhat harder for hackers to find what tokens have already been minted before the reveal.
I think the _baseURI() is an internal function, not sure if it can be called from outside. But not an expert here, would love to learn how it can be called or how to figure out the baseURI from the deployment transaction 👀
Though, I'm having similar concerns and I think the problem is the following line
@laygir Being able to change the base URI is a feature defined by @HashLips. This PR does not change it and this feature it's rightfully questioned in #20.
Adding public makes the compiler generate a read-only method with the same name as the variable. In this case baseURI(). This simply allows getting the current value. It can be useful when developing a frontend to interact with the contract.
@HashLips added a setBaseURI() that allows changing the value of baseURI:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Setting the base URI in the constructor allows the hackers to find the location of the unrevealed metadata. They can call
baseURI()or look for the deployment transaction. This lets them find which are the rarest tokens and are also able to steal the artwork.This PR changes the behavior to set the base at the reveal moment. It changes the
reveal()method to take the base URI as a parameter and only allows callingsetBaseURI()whenrevealedistrue.It also moves the check for token existence in
tokenURI()to make it somewhat harder for hackers to find what tokens have already been minted before the reveal.