Root: The function emits a predictable request ID (_reqId) before storing associated minting information, allowing bots or malicious actors to track and act on it.

Impact: An attacker could front-run the asynchronous process and attempt to spoof or fulfill the request before the legitimate user, leading to the minting of a weather NFT with incorrect or manipulated weather metadata.

Description

• Normally, the contract sends a Chainlink Functions request and maps the resulting request ID to the user’s mint intent.

• The request ID is emitted and accessible to everyone before internal mappings are secured, allowing attackers to exploit the delay.// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

• Request ID is visible to bots immediately after being created.

• Exploitation possible before the mint is finalized.

Impact:

• Wrong NFT metadata may be minted.

• Trust in the minting process is broken—users may not get NFTs aligned with their actual location/weather.

Proof of Concept: This scenario shows that the user who submits a mint request second may either get their transaction reverted or unintentionally overpay because the global mint price was changed by someone else right before their transaction was mined. It exploits the mutable state of s_currentMintPrice.

Recommended Mitigation: The mitigation captures the request ID in a local variable first, and only after checking for collisions or duplicates does it update the mapping. This ensures internal state is committed before exposing data externally, preventing front-running. Using a temporary variable defers exposing the ID publicly until it is safe.