Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Oracle Request Injection via User-Controlled Location

nonanondores

Root + Impact

Unvalidated user input in the location field enables Oracle URL injection, leading to off-chain data manipulation.

Description

The application takes a user-provided location string and directly embeds it into the URL passed to Chainlink Functions.
An attacker can submit a crafted location (e.g., containing URL fragments or redirects) to manipulate the request or potentially trick the oracle into fetching attacker-controlled data.

const location = process.argv[2];

const url = `https://wttr.in/${location}?format=%t`;

const source = `

const location = "${location}";

const url = "${url}";

const response = await Functions.makeHttpRequest({ url });

return Functions.encodeString(response.data);

Risk

Likelihood:

User input is used directly in the oracle request URL.
No sanitization, validation, or filtering is applied.

Impact:

Weather data can be faked to trigger invalid conditions in NFT minting logic.
Can lead to issuance of NFTs based on fake weather events.

Proof of Concept

The following execution of getWeather.js demonstrates how a malicious actor could manipulate the request:

// Location with malicious URL fragment

node getWeather.js "NewYork%0Ahttps://attacker.com/fake-weather"

This modifies the actual request URL to:

https://wttr.in/NewYork%0Ahttps://attacker.com/fake-weather?format=%t

Depending on how the oracle parses this, it may fetch from the attacker's endpoint.

Recommended Mitigation

Add strict validation on the location parameter in getWeather.js.

// Sanitize location

if (!/^[a-zA-Z\s]+$/.test(location)) {

throw new Error("Invalid location format");

}

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.