Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Missing input validations in `requestMintWeatherNFT`

red_jamie

Root + Impact

Description

The requestMintWeatherNFT function lacks input validation on critical parameters, which may lead to unintended behavior, broken downstream logic, or wasted user funds. Specifically:
- heartbeat is not validated for zero values. A 0 heartbeat may cause misconfigured keepers or faulty logic elsewhere.
- _pincode and _isoCode are accepted without checks for emptiness or excessive length. Empty or malformed strings could lead to failed oracle requests or undefined behavior.
- _initLinkDeposit is not validated to be greater than zero when _registerKeeper == true, which could result in no LINK being transferred, yet the contract assumes a valid deposit.

Risk

Likelihood:

Inputs are user-controlled and unguarded

Impact:

Could result in failed oracle requests, broken keeper setups, or waste of user funds

Recommended Mitigation

require(heartbeat > 0, "Invalid heartbeat");

require(bytes(_pincode).length > 0 && bytes(_pincode).length <= 10, "Invalid pincode");

require(bytes(_isoCode).length > 0 && bytes(_isoCode).length <= 3, "Invalid ISO code");

if (_registerKeeper) {

require(_initLinkDeposit > 0, "Invalid LINK deposit");

}

Updates

Appeal created

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] The LINK deposit is not checked

This is informational/invalid. If the LINK deposit is not enough, the function `registerUpkeep` will revert and it is responsibility of the user to provide the correct amount of `_initLinkDeposit`, if the user wants automated weather updates.

[Invalid] Lack of input validation in `requestMintWeatherNFT`

This is informational. It is user's responsibility to provide correct input arguments. If the user provides incorrect arguments, it will lead to incorrect results, lost funds or failed transaction.

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.