Submission Details
Impact:
Likelihood:
[EVMNINJA-WW03] No Validation of Weather Enum Values
Root + Impact
Description
When decoding the weather data from Chainlink Functions, there is no validation that the received value corresponds to a valid Weather enum value. If the Functions response contains an invalid value, it could be cast to an invalid enum state, potentially causing unexpected behavior.
uint8 weather = abi.decode(response, (uint8));
// Assuming Weather enum has values from 0 to N-1
require(weather < uint8(type(Weather).max), "Invalid weather value");
s_tokenIdToWeather[tokenId] = Weather(weather);
Risk
Likelihood:
Medium likelihood.
Impact:
Medium impact.
Proof of Concept
Recommended Mitigation
Add validation to ensure the decoded weather value is within the valid range for the Weather enum:
uint8 weather = abi.decode(response, (uint8));
// Assuming Weather enum has values from 0 to N-1
require(weather < uint8(type(Weather).max), "Invalid weather value");
s_tokenIdToWeather[tokenId] = Weather(weather);
Updates
Appeal created
bube 5 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
[Invalid] Weather enum is not checked
The implementation to get the current weather is written in `GetWeather.js`. The `weather_enum` will be always in the expected range.
Rewards breakdown
nSLOC
236This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.