Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing requestId check in `BaseChainlinkFunctionsOracle::fulfillRequest` can allow the processing of unsolicited or malicious responses

Dowsers

Description

Normal Behavior: The BaseChainlinkFunctionsOracle contract is designed to send requests to Chainlink Functions and process the responses securely. It uses a requestId to track the latest request sent and expects to receive a response corresponding to this requestId.

Problem: The BaseChainlinkFunctionsOracle::fulfillRequest function does not verify if the requestId of the incoming response matches the s_lastRequestId, which is the ID of the last request sent. This omission can allow the processing of unsolicited or malicious responses.

function fulfillRequest(

bytes32 requestId,

bytes memory response,

bytes memory err

) internal override {

s_lastResponse = response;

s_lastError = err;

@> Missing verification of requestId against s_lastRequestId

if (err.length == 0) {

if (response.length == 0) {

revert FulfillmentFailed();

}

_processResponse(response);

}

Risk

Likelihood: Low

Reason: This scenario will occur when there is an error in the network or/and when a part of the DON is compromised.

Impact: High

Reason: The impact is critical because if exploited, this vulnerability could lead to the acceptance of incorrect or malicious data in both the RAACPrimeRateOracle and RAACHousePriceOracle. This could result in inaccurate prime rates and house prices being used within the RAAC protocol.

Recommended Mitigation

According to the documentation (docs.chain.link/chainlink-functions/tutorials/api-use-secrets) the BaseChainlinkFunctionsOracle::fulfillRequest function shoud check the requestId sent by the Decentralized Oracle Network against the s_lastRequestId sent by sendRequest function.

function.function fulfillRequest(

bytes32 requestId,

bytes memory response,

bytes memory err

) internal override {

// @> Add verification to ensure requestId matches s_lastRequestId

+ if (requestId != s_lastRequestId) {

+ revert UnexpectedRequestID(requestId);

+ }

s_lastResponse = response;

s_lastError = err;

if (err.length == 0) {

if (response.length == 0) {

revert FulfillmentFailed();

}

_processResponse(response);

}

This mitigation ensures that only responses corresponding to the latest request are processed, preventing the acceptance of unsolicited or malicious data.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!