Weather Witness

First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Impact: medium
Likelihood: medium
Invalid

Insufficient Input Validation

Description:
The function doesn’t validate _pincode, _isoCode, _heartbeat, or _initLinkDeposit, allowing invalid inputs that break Chainlink requests or automation.

function requestMintWeatherNFT(string memory _pincode, string memory _isoCode, ...) external payable {
require(msg.value == s_currentMintPrice, WeatherNft__InvalidAmountSent()); // @audit Only msg.value checked
...
}

Impact:

  • Empty strings or zero values cause failed API calls or stuck NFTs.

  • Wastes ETH and LINK, reducing user trust.

Proof of Concept:

  1. Call with _pincode = "", _heartbeat = 0.

  2. Chainlink request fails or NFT is unupdatable.

Proof of Code
function testInvalidInputs() public {
vm.deal(user, 1 ether);
vm.prank(user);
weatherNft.requestMintWeatherNFT{value: 1 ether}("", "", true, 0, 0); // Passes but fails later
}

Recommended Mitigation:
Add validation:

require(bytes(_pincode).length > 0, "Empty pincode");
require(bytes(_isoCode).length == 2, "Invalid ISO code");
require(_heartbeat > 0, "Invalid heartbeat");
if (_registerKeeper) require(_initLinkDeposit > 0, "Invalid LINK deposit");
Updates

Appeal created

bube Lead Judge 23 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Lack of input validation in `requestMintWeatherNFT`

This is informational. It is user's responsibility to provide correct input arguments. If the user provides incorrect arguments, it will lead to incorrect results, lost funds or failed transaction.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.