Potential Sensitive Data Leak

[adradr]

INF-02M: Potential Sensitive Data Leak

Type	Severity	Location
Language Specific		InvestorsNFT.sol:L199

Description:

The tokenURI function contains significant logic yielding a URI that changes depending on whether a particular vesting controller has been fully claimed.

Example:

function tokenURI(uint256 tokenId)
    public
    view
    override(ERC721Upgradeable)
    returns (string memory)
{
    require(
        _exists(tokenId),
        "ERC721Metadata: URI query for nonexistent token"
    );
    string memory baseURIString = _baseURI();

    (
        uint256 rndTokenAmount,
        uint256 rndClaimedAmount
    ) = IVestingControllerERC721(REGISTRY.getAddress("VC"))
            .getInvestmentInfoForNFT(tokenId);

    bool isClaimedAll = rndTokenAmount == rndClaimedAmount ? true : false;

    return
        bytes(baseURIString).length > 0
            ? isClaimedAll
                ? string(abi.encodePacked(baseURI, tokenId.toString(), "_"))
                : string(abi.encodePacked(baseURI, tokenId.toString()))
            : "";
}

Recommendation:

We advise this trait of the system to be revised as changing the URI should be handled off-chain at the website implementation as otherwise the underscore suffixed website could leak sensitive information if rendered accessible purely based on whether the user can access the URI from the contract.

[adradr]

This URI only contains NFT related information, wether the investment has been claimed or not. So I think we could leave this as it is. What do you think about their recommendation @sergiff?