WeatherNft::fulfillMintRequest
can lead to an unathorized call of a random user, leading to a potential steal of the NFTUnder intended behavior, only the original requester who called requestMintWeatherNFT
should be able to invoke fulfillMintRequest
once the Chainlink oracle response arrives, minting the NFT to the coresponding address. However, because fulfillMintRequest
lacks any msg.sender
check, anyone may call it and receive the NFT.
Observers(users or bots) can watch the on‑chain WeatherNFTMintRequestSent
logs to extract requestId
No additional permissions or complex interactions are needed; any address may call the function immediately.
Attackers can steal newly minted NFTs, diverting them (and any embedded value) to their own addresses.
Legitimate users may be denied service by front‑runners consuming the only valid mint operation for that
The following PoC proves that anyone can call the WeatherNft::fulfillMintRequest
. Add it to the testing suite:
Add the onlyOwner
modifier to ensure that only the owner of the NFT can call the WeatherNft::fulfillMintRequest
function.
There is no check to ensure that the caller of the `fulfillMintRequest` function is actually the owner of the `requestId`. This allows a malicious user to receive a NFT that is payed from someone else.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.