Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

Keeper Logic Missing — performUpkeep Always Executable

nonanondores

Root + Impact

The checkUpkeep() function always returns true, which allows performUpkeep() to be called repeatedly, leading to unnecessary gas usage or malicious spam.

Description

  • Normally, checkUpkeep() should return false when no action is needed.

  • In this contract, it always returns true.

function checkUpkeep(bytes calldata) external view returns (bool upkeepNeeded, bytes memory) {
return (true, bytes(""));
}

Risk

Likelihood:

  • Always returns true regardless of real contract state.

  • Any keeper will repeatedly call performUpkeep().

Impact:

  • Repeated unnecessary oracle calls.

  • Waste of LINK and execution gas.

  • May degrade contract performance and front-run real usage.

Proof of Concept

Call checkUpkeep() via a bot/keeper repeatedly:

// pseudocode - called via bot
while (true) {
if (contract.checkUpkeep()[0] === true) {
contract.performUpkeep();
}
}

Recommended Mitigation

Fully implement checkUpkeep() to match Chainlink Keeper standards by add state-based gating logic:

function checkUpkeep(bytes calldata) external view returns (bool upkeepNeeded, bytes memory) {
upkeepNeeded = (block.timestamp > lastMintTime + interval && !requestInProgress);
return (upkeepNeeded, bytes(""));
}
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.