Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

No Rate Limiting

zeusvlun

Summary

The GetWeather.js file lacks mechanisms to handle API rate limiting or throttling, which could be an issue if many NFTs are updated in a short period.

Vulnerability Details

The code in GetWeather.js makes direct API calls to OpenWeatherMap without any rate limiting considerations:

const geoCodingRequest = Functions.makeHttpRequest({

url: "http://api.openweathermap.org/geo/1.0/zip",

method: "GET",

params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }

});

const weatherRequest = Functions.makeHttpRequest({

url: "https://api.openweathermap.org/data/2.5/weather",

method: "GET",

params: { lat: geoCodingResponse.data.lat, lon: geoCodingResponse.data.lon, appid: secrets.apiKey }

});

If many NFTs are updated simultaneously or in rapid succession, this could exceed OpenWeatherMap's API rate limits, leading to failed requests and NFTs not updating properly.

Proof of Concept

// SPDX-License-Identifier: MIT

// This is a JavaScript test file that demonstrates the rate limiting issues in GetWeather.js

// Mock the Chainlink Functions environment

const Functions = {

makeHttpRequest: async (params) => {

// Track API calls to simulate rate limiting

apiCallCount++;

// Simulate rate limiting after a certain number of calls

if (apiCallCount > RATE_LIMIT_THRESHOLD) {

return {

error: {

status: 429,

statusText: "Too Many Requests",

message: "API rate limit exceeded. Please wait before making further requests."

}

};

}

// Normal response for successful calls

if (params.url.includes("geo/1.0/zip")) {

return {

data: {

lat: 40.7128,

lon: -74.0060

}

};

} else if (params.url.includes("data/2.5/weather")) {

return {

data: {

weather: [

{

id: 800

}

main: {

temp: 20

}

};

}

};

// Import the GetWeather function (simplified version for testing)

const getWeather = (args, secrets) => {

return new Promise(async (resolve) => {

try {

// Get location data - no rate limiting consideration

const geoCodingRequest = await Functions.makeHttpRequest({

url: "http://api.openweathermap.org/geo/1.0/zip",

method: "GET",

params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }

});

if (geoCodingRequest.error) {

throw Error("Request failed, try checking the params provided");

}

// Get weather data - no rate limiting consideration

const weatherRequest = await Functions.makeHttpRequest({

url: "https://api.openweathermap.org/data/2.5/weather",

method: "GET",

params: {

lat: geoCodingRequest.data.lat,

lon: geoCodingRequest.data.lon,

appid: secrets.apiKey

}

});

if (weatherRequest.error) {

throw Error("Request failed, try checking the params provided");

}

// Extract weather ID and map to enum

const weather_id = weatherRequest.data.weather[0].id;

const weather_id_x = Math.floor(weather_id / 100);

let weather_enum;

// Weather mapping logic

if (weather_id_x === 2) weather_enum = 3;

else if (weather_id_x === 3 || weather_id_x === 5) weather_enum = 2;

else if (weather_id_x === 6) weather_enum = 5;

else if (weather_id === 800) weather_enum = 0;

else if (weather_id_x === 8) weather_enum = 1;

else weather_enum = 4;

// Return the result

resolve([weather_enum, Math.round(weatherRequest.data.main.temp)]);

} catch (error) {

console.error("Error in getWeather:", error.message);

resolve([0, 0]); // Default to SUNNY and 0 temperature on error

}

});

};

// Improved version with rate limiting consideration

const getWeatherWithRateLimiting = (args, secrets) => {

return new Promise(async (resolve) => {

try {

// Implement rate limiting with exponential backoff

const makeRateLimitedRequest = async (requestFn, retryCount = 0) => {

try {

// Add delay based on retry count (exponential backoff)

if (retryCount > 0) {

const backoffTime = Math.min(1000 * Math.pow(2, retryCount - 1), MAX_BACKOFF_TIME);

await new Promise(resolve => setTimeout(resolve, backoffTime));

console.log(`Retrying after ${backoffTime}ms backoff (attempt ${retryCount})`);

}

const response = await requestFn();

// Handle rate limiting errors

if (response.error && response.error.status === 429) {

if (retryCount < MAX_RETRY_ATTEMPTS) {

console.log("Rate limit exceeded, retrying with backoff...");

return await makeRateLimitedRequest(requestFn, retryCount + 1);

} else {

throw new Error("Rate limit exceeded and max retry attempts reached");

}

return response;

} catch (error) {

if (retryCount < MAX_RETRY_ATTEMPTS) {

console.log(`Request failed, retrying (attempt ${retryCount + 1})...`);

return await makeRateLimitedRequest(requestFn, retryCount + 1);

} else {

throw error;

}

};

// Get location data with rate limiting

const geoCodingRequest = await makeRateLimitedRequest(() =>

Functions.makeHttpRequest({

url: "http://api.openweathermap.org/geo/1.0/zip",

method: "GET",

params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }

})

);

if (geoCodingRequest.error) {

throw Error(`Geocoding request failed: ${geoCodingRequest.error.message}`);

}

// Get weather data with rate limiting

const weatherRequest = await makeRateLimitedRequest(() =>

Functions.makeHttpRequest({

url: "https://api.openweathermap.org/data/2.5/weather",

method: "GET",

params: {

lat: geoCodingRequest.data.lat,

lon: geoCodingRequest.data.lon,

appid: secrets.apiKey

}

})

);

if (weatherRequest.error) {

throw Error(`Weather request failed: ${weatherRequest.error.message}`);

}

// Extract weather ID and map to enum

const weather_id = weatherRequest.data.weather[0].id;

const weather_id_x = Math.floor(weather_id / 100);

let weather_enum;

// Weather mapping logic

if (weather_id_x === 2) weather_enum = 3;

else if (weather_id_x === 3 || weather_id_x === 5) weather_enum = 2;

else if (weather_id_x === 6) weather_enum = 5;

else if (weather_id === 800) weather_enum = 0;

else if (weather_id_x === 8) weather_enum = 1;

else weather_enum = 4;

// Return the result

resolve([weather_enum, Math.round(weatherRequest.data.main.temp)]);

} catch (error) {

console.error("Error in getWeatherWithRateLimiting:", error.message);

resolve([0, 0]); // Default to SUNNY and 0 temperature on error

}

});

};

// Test cases to demonstrate the issue

async function runTests() {

const secrets = { apiKey: "mock_api_key" };

console.log("Testing Rate Limiting Issues in GetWeather.js:");

// Test case 1: Simulate multiple NFT updates in rapid succession

console.log("\nTest Case 1: Multiple NFT Updates (Original Implementation)");

// Reset API call counter

apiCallCount = 0;

// Simulate 20 NFT updates in rapid succession

const results1 = [];

const locations = [

["10001", "US"], // NYC

["90210", "US"], // Beverly Hills

["60601", "US"], // Chicago

["02108", "US"], // Boston

["33101", "US"] // Miami

];

console.log("Simulating 20 NFT updates with original implementation...");

// Process 5 locations, 4 times each (total 20 requests)

for (let i = 0; i < 4; i++) {

for (const location of locations) {

try {

const result = await getWeather(location, secrets);

results1.push({ location, result, success: true });

} catch (error) {

results1.push({ location, error: error.message, success: false });

}

// Count successful and failed requests

const successful1 = results1.filter(r => r.success).length;

const failed1 = results1.filter(r => !r.success).length;

console.log(`Results: ${successful1} successful requests, ${failed1} failed requests`);

console.log(`Rate limit exceeded after ${RATE_LIMIT_THRESHOLD} requests`);

// Test case 2: Same test with improved implementation

console.log("\nTest Case 2: Multiple NFT Updates (Improved Implementation)");

// Reset API call counter

apiCallCount = 0;

// Simulate 20 NFT updates with rate limiting

const results2 = [];

console.log("Simulating 20 NFT updates with rate limiting implementation...");

// Process 5 locations, 4 times each (total 20 requests)

for (let i = 0; i < 4; i++) {

for (const location of locations) {

try {

const result = await getWeatherWithRateLimiting(location, secrets);

results2.push({ location, result, success: true });

} catch (error) {

results2.push({ location, error: error.message, success: false });

}

// Count successful and failed requests

const successful2 = results2.filter(r => r.success).length;

const failed2 = results2.filter(r => !r.success).length;

console.log(`Results: ${successful2} successful requests, ${failed2} failed requests`);

console.log(`Rate limiting with backoff strategy helped handle the rate limit threshold`);

// Compare results

console.log("\nComparison:");

console.log(`Original implementation: ${successful1}/${results1.length} successful (${Math.round(successful1/results1.length*100)}%)`);

console.log(`Improved implementation: ${successful2}/${results2.length} successful (${Math.round(successful2/results2.length*100)}%)`);

}

// Global variables for testing

let apiCallCount = 0;

const RATE_LIMIT_THRESHOLD = 10; // Simulate rate limit after 10 requests

const MAX_RETRY_ATTEMPTS = 3;

const MAX_BACKOFF_TIME = 8000; // 8 seconds max backoff

// Run the tests

runTests();

This PoC demonstrates the issues with the lack of rate limiting consideration in GetWeather.js:

The original implementation makes API calls without any rate limiting or backoff strategy:
- It sends requests as fast as possible without considering API rate limits
- Once the rate limit is exceeded (after 10 requests in this simulation), all subsequent requests fail
- This results in many NFTs not being updated properly
The improved implementation includes rate limiting and exponential backoff:
- It detects rate limit errors (HTTP 429) and implements a retry strategy
- It uses exponential backoff to space out requests and avoid hitting rate limits
- It successfully processes more requests by handling rate limiting gracefully

The PoC shows how implementing proper rate limiting and backoff strategies can significantly improve the reliability of the system when updating multiple NFTs in a short period.

Impact

The lack of rate limiting consideration could lead to:

API rate limit exceeded errors
Failed weather updates for NFTs
Potential service disruption for all users
Increased costs if using a paid API plan with overage charges

Tools Used

Manual code review
API integration best practices analysis

Recommendations

Implement rate limiting and backoff strategies:

// Track request timestamps and implement exponential backoff

let lastRequestTime = 0;

const MIN_REQUEST_INTERVAL = 1000; // 1 second minimum between requests

async function makeRateLimitedRequest(requestFn) {

const now = Date.now();

const timeElapsed = now - lastRequestTime;

if (timeElapsed < MIN_REQUEST_INTERVAL) {

// Wait for the remaining time before making the request

const waitTime = MIN_REQUEST_INTERVAL - timeElapsed;

await new Promise(resolve => setTimeout(resolve, waitTime));

}

lastRequestTime = Date.now();

return await requestFn();

}

// Use the rate-limited function for API calls

const geoCodingResponse = await makeRateLimitedRequest(() =>

Functions.makeHttpRequest({

url: "http://api.openweathermap.org/geo/1.0/zip",

method: "GET",

params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }

})

);

Consider implementing a batching mechanism in the smart contract to update multiple NFTs with a single API call when possible.
Add error handling specifically for rate limit errors, with appropriate retry logic.

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.