Description:
The function doesn’t validate _pincode
, _isoCode
, _heartbeat
, or _initLinkDeposit
, allowing invalid inputs that break Chainlink requests or automation.
Impact:
Empty strings or zero values cause failed API calls or stuck NFTs.
Wastes ETH and LINK, reducing user trust.
Proof of Concept:
Call with _pincode = ""
, _heartbeat = 0
.
Chainlink request fails or NFT is unupdatable.
Recommended Mitigation:
Add validation:
This is informational. It is user's responsibility to provide correct input arguments. If the user provides incorrect arguments, it will lead to incorrect results, lost funds or failed transaction.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.