The **NFT Hijacking Vulnerability** caused by the lack of permission verification in the `fulfillMintRequest` function.
Root + Impact
Description
In the contract, the fulfillMintRequest(bytes32 requestId, bytes memory response, bytes memory err) function does not verify whether the caller is the user corresponding to the request ID (requestId). This allows anyone to use another person's requestId to mint NFTs, thereby transferring ownership of the NFTs that should belong to others to themselves.
Risk
Impact:
The NFT is minted to the wrong address.
Proof of Concept
User A initiates a request via
requestMintWeatherNFT().The chain triggers an event or stores the
requestId.Attacker B monitors the chain events (such as
WeatherRequestSent) and obtains thisrequestId.B forges a call to
fulfillMintRequest(requestId, ...).The contract mints the NFT, which was supposed to be minted to A, to B instead.
Recommended Mitigation
Add permission verification logic in fulfillMintRequest to ensure that only the original requester can complete the minting.
Appeal created
Lack of ownership check in `fulfillMintRequest` function
There is no check to ensure that the caller of the `fulfillMintRequest` function is actually the owner of the `requestId`. This allows a malicious user to receive a NFT that is payed from someone else.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.