Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: low

Invalid

Missing Zero Address Validation in Constructor Parameters

wisedusk501

Root + Impact

Description

The constructor of the WeatherNft contract initializes several critical state variables, including s_functionsConfig, s_currentMintPrice, s_stepIncreasePerMint, s_link, s_keeperRegistry, and s_keeperRegistrar. However, there is no zero address check for these parameters, which could lead to the contract being initialized with invalid addresses. This would result in the contract being unable to interact with external systems such as Chainlink Functions, Keeper Registry, or the LINK token contract.

// Root cause in the codebase with @> marks to highlight the relevant section

constructor(

...

address _link,

address _keeperRegistry,

address _keeperRegistrar,

...

) {

...

// @> Missing zero address check for critical addresses

s_link = _link;

s_keeperRegistry = _keeperRegistry;

s_keeperRegistrar = _keeperRegistrar;

...

}

Risk

Likelihood:

This issue will occur if the deployer of the contract provides a zero address for any of the critical parameters during deployment.

Impact:

If s_link is set to the zero address, the contract will fail to interact with the LINK token contract, breaking functionality such as transferring LINK tokens for Keeper registration.
If s_keeperRegistry or s_keeperRegistrar is set to the zero address, the contract will be unable to register or interact with Chainlink Keepers, rendering automated updates for NFTs non-functional.

Recommended Mitigation

Add zero address checks for critical parameters in the constructor to ensure valid addresses are provided during deployment.

constructor(

...

address _link,

address _keeperRegistry,

address _keeperRegistrar,

...

) {

+ require(_link != address(0), "WeatherNft: LINK address cannot be zero");

+ require(_keeperRegistry != address(0), "WeatherNft: Keeper Registry address cannot be zero");

+ require(_keeperRegistrar != address(0), "WeatherNft: Keeper Registrar address cannot be zero");

s_link = _link;

s_keeperRegistry = _keeperRegistry;

s_keeperRegistrar = _keeperRegistrar;

...

}

Updates

Appeal created

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.