ERC1155WithERC20FractionsWithCallbackDataManager Manual Review Findings

ECW-01M: Potential Name & Symbol Spoofing

Type	Severity	Location
Logical Fault		ERC1155WithERC20FractionsWithCallbackDataManager.sol:L138, L140-L141

Description:

The ERC1155WithERC20FractionsWithCallbackDataManager implementation does not enforce any kind of reservation system for its tokens' names and symbols, permitting the same name and symbol combination to be launched multiple times.

Impact:

It is presently possible for multiple EIP-20 assets with the same name and symbol to exist under the same EIP-1155 implementation which might be confusing.

Example:

Copy
134function _prepareNameAndSymbol(bytes memory data, uint256 id) private view returns (string memory, string memory) {
135    string memory name_;
136    string memory symbol_;
137    if (data.length != 0) {
138        (name_, symbol_) = abi.decode(data, (string, string));
139    } else {
140        name_ = string.concat(name(), " ", Strings.toString(id));
141        symbol_ = string.concat(symbol(), "-", Strings.toString(id));
142    }
143    return (name_, symbol_);
144}

Recommendation:

We advise the system to either reserve name and symbol combinations or to utilize the automatic generation mechanism in all circumstances, either of which we consider an adequate remediation to this exhibit.

Alleviation (c6b23c23d8bcd8cce85049ad959cbd711a37126b):

The name and symbol of an EIP-20 asset within the EIP-1155 implementation can no longer be defined as an input argument, ensuring it is automatically generated each time and thus that it cannot be spoofed.