Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing requestId Check and Empty Response Handling in fulfillRequest

wttt

Summary

Missing requestId Check and Empty Response Handling in fulfillRequest

Vulnerability Details

bytes32 public s_lastRequestId;

function fulfillRequest(

bytes32 requestId,

bytes memory response,

bytes memory err

) internal override {

s_lastResponse = response;

s_lastError = err;

if (err.length == 0) {

if (response.length == 0) {

revert FulfillmentFailed();

}

_processResponse(response);

}

The main problem with this fulfillRequest function is the lack of requestId validation, which may result in processing the wrong request.
In addition, it does not trigger events, so external contracts and front-ends cannot monitor the execution of fulfillRequest.

Impact

Lack of requestId verification → May cause expired or forged requests to be processed, overwriting legitimate data.
No event is triggered (emit Response(...)) → External requests cannot be monitored, affecting traceability.

Tools Used

Recommendations

Add requestId verification to ensure that only the latest request is processed to prevent expired or forged requests.
Trigger the emit Response(...) event so that external contracts or front-ends can monitor the request status.

According to the official recommendation of Chainlink:

&#x20;

function fulfillRequest(

bytes32 requestId,

bytes memory response,

bytes memory err

) internal override {

if (s_lastRequestId != requestId) {

revert UnexpectedRequestID(requestId);

}

s_lastResponse = response;

s_lastError = err;

emit Response(requestId, s_lastResponse, s_lastError);

if (err.length == 0) {

if (response.length == 0) {

revert FulfillmentFailed();

}

_processResponse(response);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.