The performUpkeep function lacks permission verification.
Root + Impact
-
Any user can call it.
-
An attacker could repeatedly forge `performData` and invoke the function.
-
Malicious actors are flooding the blockchain with forged update requests, overwriting the
s_funcReqIdToTokenIdUpdatemapping and obfuscating the fulfillment path.
Description
The performUpkeep(bytes calldata performData) function in the smart contract is designed to be triggered by the Chainlink Automation (Keeper) system when predefined conditions are met, aiming to update the on-chain data of a weather NFT. However, this function lacks any permission checks on the caller, allowing any external account (EOA) or contract to invoke it at will.
This violates the statement "When it's time for an update, the keeper calls performUpkeep."
Recommended Mitigation
Check if the caller is the registered Chainlink Keeper
Appeal created
Anyone can call `performUpkeep` function
The `performUpkeep` function should be called by the Chainlink keepers or owners of the NFT. But there is no access control and anyone can call the function. This leads to malicious consumption of the user's LINK deposit.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.