Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

[L-1] No Emergency Pause Functionality

cosminmarian53

[L-1] No Emergency Pause Functionality

Description

Smart contracts often implement emergency pause mechanisms to allow quick response to critical vulnerabilities or unexpected behavior, preventing further exploitation while fixes are developed.

The WeatherNft contract lacks any pause functionality, preventing the owner from quickly stopping operations if security vulnerabilities are discovered or if critical external services like Chainlink Functions or the weather API become compromised.

contract WeatherNft is WeatherNftStore, ERC721, FunctionsClient, ConfirmedOwner, AutomationCompatibleInterface {

// @> Missing Pausable inheritance and pause/unpause functions

// Missing emergency controls to halt operations if needed

}

Risk

Likelihood: Low

Smart contracts commonly have undiscovered vulnerabilities that emerge after deployment.
External oracle services and APIs can experience outages, manipulation, or unexpected behavior.

Impact: Low

If a vulnerability is discovered, the owner must race to deploy a new contract while the existing one remains vulnerable to exploitation.
Funds and NFT ownership could be irrevocably altered while a fix is being developed and deployed.

Proof of Concept

No specific proof of concept is needed as this is a missing feature. However, if a critical vulnerability like the access control issues in fulfillMintRequest were discovered in production, the owner would have no way to temporarily halt minting operations to prevent exploitation.

Recommended Mitigation

Implement the OpenZeppelin Pausable contract and add pause/unpause functionality:

+ import {Pausable} from "@openzeppelin/contracts/security/Pausable.sol";

- contract WeatherNft is WeatherNftStore, ERC721, FunctionsClient, ConfirmedOwner, AutomationCompatibleInterface {

+ contract WeatherNft is WeatherNftStore, ERC721, FunctionsClient, ConfirmedOwner, AutomationCompatibleInterface, Pausable {

+ /**

+ * @notice Pauses the contract, preventing minting and weather updates

+ * @dev Only callable by the contract owner

+ */

+ function pause() external onlyOwner {

+ _pause();

+ }

+ /**

+ * @notice Unpauses the contract, allowing minting and weather updates to resume

+ * @dev Only callable by the contract owner

+ */

+ function unpause() external onlyOwner {

+ _unpause();

+ }

function requestMintWeatherNFT(

string memory _pincode,

string memory _isoCode,

bool _registerKeeper,

uint256 _heartbeat,

uint256 _initLinkDeposit

) external payable returns (bytes32 _reqId) {

+ whenNotPaused();

// ... existing code ...

}

function fulfillMintRequest(bytes32 requestId) external {

+ whenNotPaused();

// ... existing code ...

}

function performUpkeep(bytes calldata performData) external override {

+ whenNotPaused();

// ... existing code ...

}

Updates

Appeal created

bube Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.