Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Insufficient validation on LINK deposit amount can lead to non-functional automation

khan_afzali

Description

The WeatherNft::requestMintWeatherNFT() function allows users to register for automated weather updates by setting _registerKeeper to true and providing LINK tokens via the _initLinkDeposit parameter. However, the function does not validate that the deposit amount is sufficient to fund Chainlink Automation operations. A user can pass any value, including zero, which would result in automation that fails immediately or after minimal usage due to insufficient funds.

if (_registerKeeper) {

IERC20(s_link).safeTransferFrom(msg.sender, address(this), _initLinkDeposit);

}

Impact: NFTs registered with insufficient LINK deposits will have non-functioning automation. This creates several issues:

Users may believe their NFT will update automatically when it won't
System resources are wasted on registering automations that will fail
Users have no way to add more LINK later (no top-up function)
The contract's reputation could be damaged when automations fail unexpectedly

Proof of Concept :A user could call requestMintWeatherNFT with

The function would accept this call, register an automation with Chainlink that has zero funding, and the automation would fail on the first attempt due to insufficient LINK

requestMintWeatherNFT(

"12345", // pincode

"US", // isoCode

true, // _registerKeeper = true (enabling automation)

86400, // _heartbeat = daily updates

0 // _initLinkDeposit = 0 LINK (no funds for automation)

);

Recommended Mitigation:

Add a minimum deposit requirement for automation registration:

Define a minimum required LINK deposit as a contract constant

Additionally, consider implementing a function to allow users to add more LINK to their automation subscription when funds run low.

+uint256 public constant MINIMUM_LINK_DEPOSIT = 1 * 10**18; // 1 LINK

function requestMintWeatherNFT(...) {

// Other code...

if (_registerKeeper) {

+ require(_initLinkDeposit >= MINIMUM_LINK_DEPOSIT, "Insufficient LINK for automation");

- IERC20(s_link).safeTransferFrom(msg.sender, address(this), _initLinkDeposit);

+ IERC20(s_link).safeTransferFrom(msg.sender, address(this), MINIMUM_LINK_DEPOSIT);

}

// Rest of the function...

}

Updates

Appeal created

bube Lead Judge 5 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] The LINK deposit is not checked

This is informational/invalid. If the LINK deposit is not enough, the function `registerUpkeep` will revert and it is responsibility of the user to provide the correct amount of `_initLinkDeposit`, if the user wants automated weather updates.

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.