Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Insufficient Validation of Upkeep Deposits

demigods

Root + Impact

Description
The contract does not validate the _initLinkDeposit parameter, allowing users to pass zero as the deposit amount

This code transfers the `_initLinkDeposit` amount without checking if it is sufficient to fund the upkeep.

if (_registerKeeper) {

IERC20(s_link).safeTransferFrom(

msg.sender,

address(this),

_initLinkDeposit

);

}

Risk
The requestMintWeatherNFT function does not check if _initLinkDeposit is sufficient to fund the upkeep.
Initial State: The system allows users to register upkeep with any deposit amount, including zero.
Step 1: A user passes 0 as _initLinkDeposit during the mint request.
Step 2: The upkeep registration proceeds without sufficient funds.
Outcome: The upkeep may fail later due to insufficient funds.
Implications: This can lead to broken functionality and wasted gas fees.

Impact:

NFT owners and the project team: Owners may experience broken functionality, and the team may face inefficiencies.

Recommended Mitigation: To address this issue, add a validation check to ensure `_initLinkDeposit` is greater than or equal to a minimum required amount.

// Validate that _initLinkDeposit is sufficient

uint256 MIN_LINK_DEPOSIT = 1 * 10**18; // Example: Minimum 1 LINK

if (_registerKeeper) {

require(

_initLinkDeposit >= MIN_LINK_DEPOSIT,

"WeatherNft__InsufficientLinkDeposit"

);

Updates

Appeal created

bube Lead Judge 5 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] The LINK deposit is not checked

This is informational/invalid. If the LINK deposit is not enough, the function `registerUpkeep` will revert and it is responsibility of the user to provide the correct amount of `_initLinkDeposit`, if the user wants automated weather updates.

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.