Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[EVMNINJA-WW02] Lack of Access Control in `fulfillMintRequest()`

evmninja

Root + Impact

Description

The fulfillMintRequest() function has no access control, allowing anyone to call it after a Functions request has been fulfilled. This could lead to front-running attacks where attackers detect fulfilled requests and claim the NFTs before the legitimate requester.

Related code:

function fulfillMintRequest(bytes32 requestId) external {

bytes memory response = s_funcReqIdToMintFunctionReqResponse[requestId].response;

bytes memory err = s_funcReqIdToMintFunctionReqResponse[requestId].err;

require(response.length > 0 || err.length > 0, WeatherNft__Unauthorized());

// ... rest of the function

}

Risk

Likelihood:

Medium likelihood.

Impact:

High impact.

Proof of Concept

Recommended Mitigation

Implement proper access control by either:

Making the function callable only by the original requester, or
Implementing a mechanism where only the contract owner or a designated oracle can call this function:

function fulfillMintRequest(bytes32 requestId) external {

bytes memory response = s_funcReqIdToMintFunctionReqResponse[requestId].response;

bytes memory err = s_funcReqIdToMintFunctionReqResponse[requestId].err;

require(response.length > 0 || err.length > 0, WeatherNft__Unauthorized());

UserMintRequest memory _userMintRequest = s_funcReqIdToUserMintReq[requestId];

// Require caller to be the original requester or contract owner

require(msg.sender == _userMintRequest.user || msg.sender == owner(), "Unauthorized");

// ... rest of the function

}

Updates

Appeal created

bube Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Lack of ownership check in `fulfillMintRequest` function

There is no check to ensure that the caller of the `fulfillMintRequest` function is actually the owner of the `requestId`. This allows a malicious user to receive a NFT that is payed from someone else.

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.