Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

##WeatherNft.sol## [ Emit before state change ]

hawks

Root + Impact

Description

The requestMintWeatherNFT function emits the WeatherNFTMintRequestSent event before updating contract state.

function requestMintWeatherNFT(

string memory _pincode,

string memory _isoCode,

bool _registerKeeper,

uint256 _heartbeat,

uint256 _initLinkDeposit

) external payable returns (bytes32 _reqId) {

require(

msg.value == s_currentMintPrice,

WeatherNft__InvalidAmountSent()

);

s_currentMintPrice += s_stepIncreasePerMint;

if (_registerKeeper) {

IERC20(s_link).safeTransferFrom(

msg.sender,

address(this),

_initLinkDeposit

);

}

_reqId = _sendFunctionsWeatherFetchRequest(_pincode, _isoCode);

@ > emit WeatherNFTMintRequestSent(msg.sender, _pincode, _isoCode, _reqId);

s_funcReqIdToUserMintReq[_reqId] = UserMintRequest({

user: msg.sender,

pincode: _pincode,

isoCode: _isoCode,

registerKeeper: _registerKeeper,

heartbeat: _heartbeat,

initLinkDeposit: _initLinkDeposit

});

}

Risk

Likelihood:

When a frontend or off-chain indexer listens for the WeatherNFTMintRequestSent event and immediately queries the contract state, it may retrieve incomplete or outdated data because the state update hasn't occurred yet.

Occurs during normal execution of requestMintWeatherNFT when event listeners rely on the event to reflect finalized state changes.

Impact:

Off-chain services like indexers or dApps might use the event before the state is updated, causing them to show wrong or incomplete data.

This can make it harder to track what really happened, since the event doesn't match the actual contract state at that moment.

Proof of Concept

Recommended Mitigation

Emit the WeatherNFTMintRequestSent event after the state update to ensure emitted logs reflect the finalized contract state.

- remove this code

emit WeatherNFTMintRequestSent(msg.sender, _pincode, _isoCode, _reqId);

s_funcReqIdToUserMintReq[_reqId] = UserMintRequest({

user: msg.sender,

pincode: _pincode,

isoCode: _isoCode,

registerKeeper: _registerKeeper,

heartbeat: _heartbeat,

initLinkDeposit: _initLinkDeposit

});

+ add this code

s_funcReqIdToUserMintReq[_reqId] = UserMintRequest({

user: msg.sender,

pincode: _pincode,

isoCode: _isoCode,

registerKeeper: _registerKeeper,

heartbeat: _heartbeat,

initLinkDeposit: _initLinkDeposit

});

emit WeatherNFTMintRequestSent(msg.sender, _pincode, _isoCode, _reqId);

}

Updates

Appeal created

bube Lead Judge 23 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.