Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Logical Misalignment Between Weather Types and URIs

demigods

Root + Impact

Description. The constructor of the `WeatherNft` contract does not validate the logical alignment between the `weathers` array and the `weatherURIs` array, allowing incorrect mappings to be stored.

require(

weathers.length == weatherURIs.length,

WeatherNft__IncorrectLength()

);

Risk
The constructor only checks that the lengths of the `weathers` and `weatherURIs` arrays are equal, but it does not validate that the weather types correspond to the correct URIs.

Initial State: The deployer initializes the contract with mismatched data, such as `Weather.Rainy` mapped to a sunny image URI.

Step 1: The constructor iterates through the arrays and stores the mappings in s_weatherToTokenURI without verifying their correctness.
Outcome: Incorrect mappings are stored in the contract, leading to NFTs with misleading metadata.
Implications: This can result in user confusion, loss of trust in the NFT project, and reputational damage for the project team.

Impact:Affected Parties: NFT buyers and the project team.

Buyers receive NFTs with incorrect metadata, and the project team faces reputational damage.

Recommended Mitigation
Add validation logic in the constructor to ensure that each weather type in the `weathers` array corresponds to the correct URI in the `weatherURIs` array

for (uint256 i = 0; i < weathers.length; ++i) {

require(

isValidWeatherURI(weathers[i], weatherURIs[i]),

"WeatherNft__InvalidWeatherURI"

);

s_weatherToTokenURI[weathers[i]] = weatherURIs[i];

}

// Add a helper function to validate the logical alignment

function isValidWeatherURI(Weather weather, string memory uri) internal pure returns (bool) {

// Implement logic to validate that the URI matches the weather type

// Example: Check if the URI contains the weather type as a substring

return bytes(uri).length > 0 && keccak256(abi.encodePacked(weather)) == keccak256(abi.encodePacked(uri));

}

Updates

Appeal created

bube Lead Judge 6 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.