Weather Witness

First Flight #40

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Valid

Insufficient LINK Management Logic Enables LINK Draining via NFT Requests and Upkeep Abuse

0xshield

Root + Impact

Description

Normally, LINK consumption should be protected with checks to avoid draining the balance.
Here, the contract allows continuous Chainlink Function requests via repeated performUpkeep() calls or by registering with an extremely low deposit and zero heartbeat, triggering infinite upkeep.

function performUpkeep(bytes calldata performData) external {

uint256 tokenId = abi.decode(performData, (uint256));

...

_sendFunctionsWeatherFetchRequest(tokenId);

//@> This sends a Chainlink Functions request each time it's called, without rate limiting.

}

Risk

Likelihood:

Will occur as soon as a malicious user interacts with low LINK deposits or calls performUpkeep() on many tokenIds.
No LINK threshold, rate-limit, or gas refund check exists to prevent abuse.

Impact:

LINK funds drained rapidly, making automation and Chainlink Functions unusable.
Service degradation for all users and blocked automation due to insufficient LINK.

Proof of Concept

Here's a scenario:

Attacker calls requestMintWeatherNFT(..., false, 0, 0) multiple times, minting NFTs without depositing LINK.
Then, attacker repeatedly calls performUpkeep() for each token, forcing the contract to send LINK-consuming Chainlink Function requests in a tight loop.
Over time, LINK is drained, and the contract can no longer serve real users.

Recommended Mitigation

Enforce a non-zero minimum heartbeat value, e.g., require(heartbeat >= MIN_HEARTBEAT).
Enforce a minimum _initLinkDeposit and validate registration success before accepting the request.
Consider using pull-payment model or user-funded LINK balance system where each NFT's upkeep and function calls are directly tied to user deposits.
Add a LINK balance check before sending Chainlink Function requests to prevent unexpected failure.
Optionally: track and cap LINK usage per user or token to contain abuse.

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

[Invalid] The LINK deposit is not checked

This is informational/invalid. If the LINK deposit is not enough, the function `registerUpkeep` will revert and it is responsibility of the user to provide the correct amount of `_initLinkDeposit`, if the user wants automated weather updates.

[Invalid] Lack of input validation in `requestMintWeatherNFT`

This is informational. It is user's responsibility to provide correct input arguments. If the user provides incorrect arguments, it will lead to incorrect results, lost funds or failed transaction.

Anyone can call `performUpkeep` function

The `performUpkeep` function should be called by the Chainlink keepers or owners of the NFT. But there is no access control and anyone can call the function. This leads to malicious consumption of the user's LINK deposit.

Rewards breakdown

nSLOC

236

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.