Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Anyone can call the requestMintWeatherNFT and mint NFT.

sharmarahul991073

Anyone can call the requestMintWeatherNFT and mint NFT.

Description

The fulfillMintRequest function in `WeatherNft` contract is publicly accessible without access control. This function completes the minting process based on a Chainlink request ID (bytes32 requestId) and calls _mint with the msg.sender as the recipient. However, any external user can call this function with a valid request ID.

>@audit function requestMintWeatherNFT(

string memory _pincode,

string memory _isoCode,

bool _registerKeeper,

uint256 _heartbeat,

uint256 _initLinkDeposit

) external payable returns (bytes32 _reqId) {

require(

msg.value == s_currentMintPrice,

WeatherNft__InvalidAmountSent()

);

s_currentMintPrice += s_stepIncreasePerMint;

if (_registerKeeper) {

IERC20(s_link).safeTransferFrom(

msg.sender,

address(this),

_initLinkDeposit

);

}

_reqId = _sendFunctionsWeatherFetchRequest(_pincode, _isoCode);

emit WeatherNFTMintRequestSent(msg.sender, _pincode, _isoCode, _reqId);

s_funcReqIdToUserMintReq[_reqId] = UserMintRequest({

user: msg.sender,

pincode: _pincode,

isoCode: _isoCode,

registerKeeper: _registerKeeper,

heartbeat: _heartbeat,

initLinkDeposit: _initLinkDeposit

});

}

Risk

Unauthorized minting of NFTs.

Incorrect ownership of tokens.

Replay vulnerability by reusing a known requestId.

Can potentially inflate token supply or steal LINK funds deposited for automation.

Likelihood:

Reason 1 // Missing of an access Control(OnlyOwner) or require statement.
Reason 2

Impact:

An atttacker can call this function with a known requestId and mint an Nft.
Impact 2

Proof of Concept

// An attacker calls fulfillMintRequest() with a known requestId:

weatherNft.fulfillMintRequest(validRequestId); // Attacker is now msg.sender.

Recommended Mitigation

+ add this require(

msg.sender == s_funcReqIdToUserMintReq[requestId].user,

"Only original requester can fulfill mint"

);

Updates

Appeal created

bube Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Lack of ownership check in `fulfillMintRequest` function

There is no check to ensure that the caller of the `fulfillMintRequest` function is actually the owner of the `requestId`. This allows a malicious user to receive a NFT that is payed from someone else.

Multiple tokens for one `requestId`

The `WeatherNFT::fulfillMintRequest` allows a malicious user to call multiple times the function with the same `requestId`.

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.