Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Lack of Emergency Stop Mechanism in Weather NFT Contract

mimis

Description

The contract lacks a pause mechanism, preventing the ability to halt operations during emergencies or when vulnerabilities are discovered.

Risk

Severity: High
Likelihood: Medium

Summary

The requestMintWeatherNFT and other critical functions lack pause protection, making it impossible to stop malicious activities or protect users during emergencies.

Vulnerability Details

Root Cause: Absence of pause modifier and pause control mechanism in the contract architecture.

Initial State: Contract operates continuously without ability to halt.

Attack Scenario:

A vulnerability is discovered in the contract
Attacker begins exploiting the vulnerability
Contract owner has no mechanism to prevent further exploitation
Users continue to lose funds while fix is prepared

Proof of Concept

// Attacker can continue calling function even during known exploits

function attackVector() external {

bytes32 reqId;

// Attacker can repeatedly call this with no way to stop

while (true) {

reqId = weatherNft.requestMintWeatherNFT(

"123456",

"US",

false,

3600,

1e18

);

}

Impact

No way to prevent losses during active exploits
Contract owner powerless during emergencies
Users funds at constant risk
Increased liability for protocol

Tools Used

Manual Review
Static Analysis

Recommendations

Add pause mechanism with granular control:

contract WeatherNft is WeatherNftStore, ERC721, FunctionsClient, ConfirmedOwner, AutomationCompatibleInterface, Pausable {

// ...existing code...

modifier whenContractActive() {

require(!paused(), "Contract is paused");

}

function pause() external onlyOwner {

_pause();

}

function unpause() external onlyOwner {

_unpause();

}

function requestMintWeatherNFT(

string memory _pincode,

string memory _isoCode,

bool _registerKeeper,

uint256 _heartbeat,

uint256 _initLinkDeposit

) external payable whenContractActive returns (bytes32 _reqId) {

// ...existing code...

}

Alternative Implementation with Granular Pausing:

contract WeatherNft {

enum PauseType { MINTING, UPDATES, ALL }

mapping(PauseType => bool) public pauseStatus;

modifier whenNotPaused(PauseType pauseType) {

require(!pauseStatus[pauseType] && !pauseStatus[PauseType.ALL], "Operation paused");

}

function setPauseStatus(PauseType pauseType, bool status) external onlyOwner {

pauseStatus[pauseType] = status;

emit PauseStatusChanged(pauseType, status);

}

Updates

Appeal created

bube Lead Judge 7 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.