Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

[M-1] Missing input validation in ```WeatherNft::_sendFunctionsWeatherFetchRequest``` Function.

wolf_kalp

Root + Impact

[M-1] Missing input validation in WeatherNft::_sendFunctionsWeatherFetchRequest Function.

Description

The WeatherNft::_sendFunctionsWeatherFetchRequest Function takes inputs of
_pincode and _isoCode which are not validated properly and leads
to malicious state updates and and passed to req.setArgs(_args) function.

Impact:

Malicious and extremely large inputs leads to unnecsaary gas consumption and error
in states which depends on _pincode and _isoCode.

Proof of Concept

Call The Fuction With malicious inputs:

_sendFunctionsWeatherFetchRequest(
"0000000000000000000000000000000000000000000000000000",
"INVALID_ISO_CODE_TOO_LONG_TO_BE_VALID"
)

Recommended Mitigation

+require(bytes(_pincode).length>0 && bytes(_pinconde).length<=10>,"too large or too small")
+require(bytes(_isocode).length==2,"invalid iso code")
Updates

Appeal created

bube Lead Judge 4 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Lack of input validation in `requestMintWeatherNFT`

This is informational. It is user's responsibility to provide correct input arguments. If the user provides incorrect arguments, it will lead to incorrect results, lost funds or failed transaction.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.