Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

[M-1] Insufficient LINK Deposit Validation in `WeatherNft::requestMintWeatherNFT`

0xsnoweth

Root + Impact

Insufficient LINK deposit Validation in WeatherNft::requestMintWeatherNFT function and fullFillMintRequest

impact: Medium Severity - The Automation fails if the LINK deposit is too low, Leaving the NFT's Outdated.

Description

The WeatherNft::requestMintWeatherNFT function allows users to specify an _initLinkDeposit for Chainlink Automation when _registerKeeper is true. This LINK funds the upkeep registered in fullfillMintRequest. However, there's no validation to ensure _initLinkDeposit meets Chainlink's minimum requirements, risking automation failure if the deposit is insufficient.

function requestMintWeatherNFT(
string memory _pincode,
string memory _isoCode,
bool _registerKeeper,
uint256 _heartbeat,
uint256 _initLinkDeposit
) external payable returns (bytes32 _reqId) {
require(
msg.value == s_currentMintPrice,
WeatherNft__InvalidAmountSent()
);
s_currentMintPrice += s_stepIncreasePerMint;
//@> Start of root cause
if (_registerKeeper) {
IERC20(s_link).safeTransferFrom(
msg.sender,
address(this),
_initLinkDeposit
);
}
//@> End of root cause
_reqId = _sendFunctionsWeatherFetchRequest(_pincode, _isoCode);
// ... rest of the function
}
* Describe the normal behavior in one or more sentences
* Explain the specific issue or problem in one or more sentences
```solidity
// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

Users set _initLinkDeposit to a very low value (e.g., 0 or 1 wei), which passes the transfer but is insufficient for Chainlink Automation.

Chainlink Automation rejects the upkeep due to insufficient funds, halting updates.

Impact:

NFTs fail to update, displaying outdated weather data, degrading user experience.

Users may need to manually update NFTs, incurring additional costs or abandoning automation.

Proof of Concept

//User sets low LINK deposit
function testLowLinkDeposit() external {
//User calls `requestMintWeatherNFT` with `_initLinkDeposit = 1 wei`
WeatherNft(weatherNftAddress).requestMintWeatherNFT{value: 0.1 ether}(
"12345", // pincode
"US", // isoCode
true, // _registerKeeper
1 days, // _heartbeat
1 // _initLinkDeposit (1 wei)
);
// Chainlink Automation fails to register or run due to insufficient LINK
}

  1. User sets low LINK deposit

  2. User calls requestMintWeatherNFT with _initLinkDeposit = 1 wei

  3. Chainlink Automation fails to register or run due to insufficient LINK

Recommended Mitigation

Include a new state variable constant with the minimum LINK required to deposit and then add the require in the function.

+ uint256 public constant MIN_LINK_DEPOSIT = 5 ether; // Example: 5 LINK
function requestMintWeatherNFT(
string memory _pincode,
string memory _isoCode,
bool _registerKeeper,
uint256 _heartbeat,
uint256 _initLinkDeposit
) external payable returns (bytes32 _reqId) {
require(
msg.value == s_currentMintPrice,
WeatherNft__InvalidAmountSent()
);
s_currentMintPrice += s_stepIncreasePerMint;
if (_registerKeeper) {
+ require(_initLinkDeposit >= MIN_LINK_DEPOSIT, "Insufficient LINK deposit");
IERC20(s_link).safeTransferFrom(
msg.sender,
address(this),
_initLinkDeposit
);
}
// ... rest of the function
}
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] The LINK deposit is not checked

This is informational/invalid. If the LINK deposit is not enough, the function `registerUpkeep` will revert and it is responsibility of the user to provide the correct amount of `_initLinkDeposit`, if the user wants automated weather updates.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.