Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`request ID` of `fulfillRequest()` callback, never check against `s_lastRequestId`

0xhacksmithh

Summary

Vulnerability Details

In `BaseChainlinkFunctionsOracle.sol` Workflow is like below

  • sendRequest for sending a request.

  • It uses the FunctionsRequestlibrary to initialize the request and add any passed encrypted secrets reference or arguments.

  • sends the request to the router by calling the FunctionsClient sendRequest function. Finally, it stores the request id in s_lastRequestId .

  • fulfillRequest to be invoked during the callback

During this fulfillRequest()there should be a `requestId` validation to check if callback requestId is equal to lastRequestId stored in contract other wise it should revert a msg.

Same method of validation present in Chainlink Guide, should implement something similar like this

https://docs.chain.link/chainlink-functions/tutorials/api-query-parameters#examine-the-code

function fulfillRequest(
bytes32 requestId, // @audit-issue requestId not checked
bytes memory response,
bytes memory err
) internal override {
s_lastResponse = response;
s_lastError = err; // @audit
if (err.length == 0) {
if (response.length == 0) {
revert FulfillmentFailed();
}
_processResponse(response);
}
}

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/oracles/BaseChainlinkFunctionsOracle.sol#L99-L113

Impact

Tools Used

manual review

Recommendations

function fulfillRequest(
bytes32 requestId,
bytes memory response,
bytes memory err
) internal override {
if (s_lastRequestId != requestId) {
revert UnexpectedRequestID(requestId);
}
s_lastResponse = response;
s_lastError = err;
......
......
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.