Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View all submissions
Previous Next
Submission Details
Severity: high
Valid

PerformUpkeep should only be performed when checkUpkeep return true

Author Revealed upon completion

Root + Impact

PerformUpkeep does not call checkUpkeep

As a result, it is possible to update the NFT weather state before the heartbeat.


Description

Keeper will call checkUpKeep before perming the call to PerformUpkeep.
But since there is no access control on the function, anybody can call the function even if checkUpKeep return false.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

Interest in an attacker is probably low

Impact:

NFT weather state is updated before the heartbeat

Proof of Concept

Recommended Mitigation

Call checkUpKeep inside performUpkeep

- remove this code
+ add this code
function performUpkeep(bytes calldata performData) external override {
bool res = checkUpkeep(performData)
require(res, "Invalid update")
}
Updates

Appeal created

bube Lead Judge 1 day ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can call `performUpkeep` function

The `performUpkeep` function should be called by the Chainlink keepers or owners of the NFT. But there is no access control and anyone can call the function. This leads to malicious consumption of the user's LINK deposit.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.