`BaseChainlinkFunctionsOracle::sendRequest` Uses `Inline` Instead of `DONHosted` Risking Exposure Of Sensitive Information
Summary
BaseChainlinkFunctionsOracle::sendRequest hardcodes Location.Inline when initializing requests, which exposes function source code and any sensitive data on-chain. Using Location.DONHosted would provide better security by storing code and secrets encrypted in the DON network.
Vulnerability Details
The sendRequest function initializes requests with Location.Inline:
Using Location.Inline means:
The JavaScript source code is stored directly on-chain
Anyone can read the source code from transaction data
Any sensitive data or logic in the code is exposed
Secrets and API endpoints become public
Impact
Source code and logic are publicly visible
Potential exposure of sensitive data if included in source
Tools Used
Manual Review
Recommendations
Use Location.DONHosted for secure code storage:
Benefits:
Code is stored encrypted on DON network
Sensitive logic remains private
Note: Using Location.DONHosted requires maintaining a minimum balance in the Chainlink subscription for storing encrypted code and secrets.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.