Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View all submissions
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

Missing Validation for LINK Token Deposit

Author Revealed upon completion

Root + Impact

Description

  • In the requestMintWeatherNFT function, if the user opts to register a keeper (_registerKeeper == true), the contract attempts to transfer _initLinkDeposit amount of LINK tokens from the user

IERC20(s_link).safeTransferFrom(
msg.sender,
address(this),
_initLinkDeposit
);

However, the contract does not validate whether:

  • _initLinkDeposit is a minimum acceptable amount.


Impact:

  • Users could provide 0 or too little initLinkDeposit, leading to improper keeper subscription behavior.

  • Transactions may revert unexpectedly if LINK approval is missing or insufficient, creating confusion.

Recommended Mitigation

Add validation before attempting the LINK transfer:

require(_initLinkDeposit >= MIN_LINK_DEPOSIT, "Link deposit too low");
Updates

Appeal created

bube Lead Judge about 7 hours ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] The LINK deposit is not checked

This is informational/invalid. If the LINK deposit is not enough, the function `registerUpkeep` will revert and it is responsibility of the user to provide the correct amount of `_initLinkDeposit`, if the user wants automated weather updates.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.