Impact: Any malicious user can call this function, minting NFTs illegitimately without valid fulfillment or weather data.
Normally, this function should only be called by the Chainlink oracle once valid weather data is received, ensuring the integrity of NFT metadata.
However, because there is no restriction on who can call fulfillMintRequest
, any observer can invoke this function with a known or guessed request ID—causing unauthorized NFT mints.
CopyEdit
Likelihood:
Moderate—anyone watching requestId emissions can act.
Impact:
NFT collection polluted with unauthorized or incorrect tokens.
Users receive NFTs they didn’t request, breaking trust and fairness.
fulfillMintRequest()
method. Without an access control check, this leads to unauthorized NFT minting using possibly invalid or no weather data at all.fulfillMintRequest
function. It prevents any arbitrary caller from triggering the minting process, thus protecting against spoofed or early fulfillment and preserving the authenticity of NFTs.There is no check to ensure that the caller of the `fulfillMintRequest` function is actually the owner of the `requestId`. This allows a malicious user to receive a NFT that is payed from someone else.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.