Weather Witness

First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Severity: high
Valid

Potential DOS

Root + Impact

Description

  • If user wants to mint NFT with upkeep updates, contract calls IAutomationRegistrarInterface function which registers upkeeper.

  • If IAutomationRegistrarInterface is failing and reverting (due to registrar misconfiguration, lack of LINK, or external issues), NFT won't be minted even user paid for it and functions did the job.

triggerConfig: "",
offchainConfig: "",
amount: uint96(_userMintRequest.initLinkDeposit)
});
@> upkeepId = IAutomationRegistrarInterface(s_keeperRegistrar)
.registerUpkeep(_keeperParams);
}

Risk

Likelihood:

  • This occurs whenever the Chainlink Keeper registrar is unavailable, misconfigured, out of LINK, or otherwise fails to process the registration.

  • Any external or temporary issue with the registrar can block all NFT mints that request upkeep, regardless of the contract's own correctness.

Impact:

  • Users can be denied NFTs they paid for, leading to loss of funds and trust.

  • An external dependency (the registrar) can cause a denial of service for core contract functionality.

Proof of Concept

  1. User requests to mint an NFT with upkeep enabled

  2. Chainlink Functions fulfills the weather request successfully

  3. User calls fulfillMintRequest with the returned reqId

  4. Suppose the Chainlink Keeper registrar is misconfigured, out of LINK, or otherwise fails

  5. Result: The NFT is NOT minted, even though the user paid and the oracle succeeded.

Conclusion: The user cannot claim their NFT until the registrar issue is resolved.

weatherNft.requestMintWeatherNFT("125001", "IN", true, 12 hours, 5e18);
weatherNft.fulfillMintRequest(reqId);

Recommended Mitigation

Put register upkeep inside try catch -> In case of failure, emit event and continue minting NFT.

+ event KeeperRegistrationFailed(uint256 tokenId, bytes32 requestId);
//rest of existing code
- upkeepId = IAutomationRegistrarInterface(s_keeperRegistrar)
- .registerUpkeep(_keeperParams);
+ try IAutomationRegistrarInterface(s_keeperRegistrar).registerUpkeep(_keeperParams) returns (uint256 _upkeepId) {
+ upkeepId = _upkeepId;
+ } catch {
+ emit KeeperRegistrationFailed(tokenId, requestId);
+ upkeepId = 0;
+ }
Updates

Appeal created

bube Lead Judge 23 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Lost fee in case of Oracle failure

If Oracle fails, the `fulfillMintRequest` function will not return the payed fee for the token to the user.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.