Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Invalid Metadata Inputs Allowed for Minting NFTs

demigods

Root + Impact

Description:
The requestMintWeatherNFT function does not validate the pincode and isoCode parameters against the user's actual location. This allows users to provide arbitrary or incorrect values, such as minting an NFT for the USA while being in Pakistan, without any validation.


The vulnerability lies in the requestMintWeatherNFT function, which does not validate the pincode and isoCode parameters:

function requestMintWeatherNFT(
string memory _pincode,
string memory _isoCode,
bool _registerKeeper,
uint256 _heartbeat,
uint256 _initLinkDeposit
) external payable returns (bytes32 _reqId) {
require(
msg.value == s_currentMintPrice,
WeatherNft__InvalidAmountSent()
);
s_currentMintPrice += s_stepIncreasePerMint;
if (_registerKeeper) {
IERC20(s_link).safeTransferFrom(
msg.sender,
address(this),
_initLinkDeposit
);
}
_reqId = _sendFunctionsWeatherFetchRequest(_pincode, _isoCode);
emit WeatherNFTMintRequestSent(msg.sender, _pincode, _isoCode, _reqId);
s_funcReqIdToUserMintReq[_reqId] = UserMintRequest({
user: msg.sender,
pincode: _pincode,
isoCode: _isoCode,
registerKeeper: _registerKeeper,
heartbeat: _heartbeat,
initLinkDeposit: _initLinkDeposit
});
}

Risk:e requestMintWeatherNFT function does not verify the authenticity of the pincode and isoCode provided by the user.

  • Initial State: A user calls the requestMintWeatherNFT function with arbitrary pincode and isoCode values.

  • Step 1: The user provides a pincode and isoCode that do not correspond to their actual location.

  • Step 2: The contract accepts these values without validation and mints an NFT with incorrect metadata.

  • Outcome: The NFT metadata is misleading, and the system's integrity is compromised.

  • Implications: This undermines the trustworthiness of the NFT collection and allows users to mint NFTs for locations they are not associated with.


Recommended Mitigation:To address this issue, integrate a validation mechanism to verify the pincode and isoCode against the user's actual location. This can be achieved by using an external oracle or API to validate the location data.

function requestMintWeatherNFT(
string memory _pincode,
string memory _isoCode,
bool _registerKeeper,
uint256 _heartbeat,
uint256 _initLinkDeposit
) external payable returns (bytes32 _reqId) {
require(
msg.value == s_currentMintPrice,
WeatherNft__InvalidAmountSent()
);
// Validate the pincode and isoCode using an external oracle or API
require(
_validateLocation(msg.sender, _pincode, _isoCode),
"WeatherNft__InvalidLocation"
);
s_currentMintPrice += s_stepIncreasePerMint;
if (_registerKeeper) {
IERC20(s_link).safeTransferFrom(
msg.sender,
address(this),
_initLinkDeposit
);
}
_reqId = _sendFunctionsWeatherFetchRequest(_pincode, _isoCode);
emit WeatherNFTMintRequestSent(msg.sender, _pincode, _isoCode, _reqId);
s_funcReqIdToUserMintReq[_reqId] = UserMintRequest({
user: msg.sender,
pincode: _pincode,
isoCode: _isoCode,
registerKeeper: _registerKeeper,
heartbeat: _heartbeat,
initLinkDeposit: _initLinkDeposit
});
}
// Helper function to validate location
function _validateLocation(
address user,
string memory pincode,
string memory isoCode
) internal view returns (bool) {
// Implement logic to validate the user's location using an oracle or API
// Example: Call an external service to verify the pincode and isoCode
return true; // Replace with actual validation logic
}
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Lack of input validation in `requestMintWeatherNFT`

This is informational. It is user's responsibility to provide correct input arguments. If the user provides incorrect arguments, it will lead to incorrect results, lost funds or failed transaction.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.