Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Hardcoded Initialization of s_tokenCounter

Author Revealed upon completion

Root + Impact

Description

  • In the WeatherNft contract, several inherited state variables from WeatherNftStore (e.g. s_functionsConfig, s_link, s_keeperRegistry) are initialized via constructor parameters, allowing flexible and transparent deployment configuration.

    However, s_tokenCounter, also declared in WeatherNftStore, is hardcoded directly in the constructor body instead of being set via a constructor argument. This breaks the consistency of initialization and may lead to confusion or limited flexibility in future updates.

constructor(...) {
...
@> s_tokenCounter = 1; // Direct assignment instead of configurable input
}

Risk

Likelihood:

  • Reason 1 // This will occur every time the contract is deployed, since s_tokenCounter is not configurable.

  • Reason 2 // Developers modifying the deployment logic or porting the contract to another project may overlook that s_tokenCounter is hardcoded and not part of the standard configuration.

Impact:

  • Impact 1 // Limits the flexibility to start token IDs from custom values like 0, 1000, etc.

  • Impact 2 // Reduces consistency across state variable initialization, which could impact maintainability or clarity during audits or upgrades.

Proof of Concept

// All of these are initialized through constructor args:
s_functionsConfig = _config;
s_currentMintPrice = _currentMintPrice;
...
// But this one is not:
s_tokenCounter = 1;

Recommended Mitigation

// In the WeatherNftStore.sol:
uint256 _initialTokenCounter
// In the WeatherNft.sol
s_tokenCounter = _initialTokenCounter;
Updates

Appeal created

bube Lead Judge 1 day ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.