search
Active Boosts

56730 sc insight transmuter tokenuri is not eip 721 compliance

Submitted on Oct 19th 2025 at 23:38:25 UTC by @lirezarazavi for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #56730

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/Transmuter.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

tokenURI() is violating EIP-721 by not reverting for non-existent token id's.

hashtag
Vulnerability Details

According to the EIP-721 specification, the function should throw an error if the provided _tokenId does not correspond to a valid NFT. However, the current implementation returns a non-empty SVG/String for non-existent tokenId values.

hashtag
Impact Details

  • Violation of EIP-721

  • This behavior can lead to confusion and makes it difficult for clients and applications to determine the validity of a token.

hashtag
References

  • https://github.com/alchemix-finance/v3-poc/blob/a192ab313c81ba3ab621d9ca1ee000110fbdd1e9/src/Transmuter.sol#L153-L155

  • https://eips.ethereum.org/EIPS/eip-721#:~:text=///%20%40dev%20Throws%20if%20%60_tokenId%60%20is%20not%20a%20valid%20NFT.%20URIs%20are%20defined%20in%20RFC

hashtag
Proof of Concept

hashtag
Proof of Concept

  1. Add (copy and paste) the following function to src/test/Transmuter.t.sol:

  1. Run: forge test --match-test testTokenURI_PoC.

Previous57622 sc low lack of claimed reward handling in myt strategies will keep all external token rewards stuck foreverNext58273 sc medium incorrect hardcoded 0x settler function selectors

Was this helpful?