Description
The OracleService.handleIoTRequest() method responds to IoTDataRequested blockchain events by calling generateMockIoTData(), which produces fabricated random temperature and humidity readings using a weighted random number generator — completely disconnected from any real IoT sensor. This fake data is then submitted to the blockchain via fulfillIoTData() and stored permanently. The oracle service auto-starts in production (see server.js lines 256-260).
Affected Code
backend/services/oracleService.js, lines 131-179:
handleIoTRequest() (line 131) — triggered by real blockchain eventsgenerateMockIoTData() (line 155) — produces fake temp/humidity with Math.random()fulfillIoTData() (line 181) — writes fake data to the immutable ledger- The mock data sets
isSpoiled flag when temp > 80°F or < 32°F based on fake readings
Impact
- Fake sensor data is permanently written to the immutable blockchain, corrupting supply chain integrity.
- Batches can be falsely marked as
isSpoiled, causing real financial loss and triggering unnecessary recalls.
- The entire IoT verification feature becomes a liability rather than a trust mechanism.
Suggested Fix
- Remove
generateMockIoTData() entirely — it should never run outside a local test environment.
- Add an explicit
if (process.env.NODE_ENV === "production") throw new Error(...) guard.
- Implement real IoT sensor integration or disable the oracle auto-start in production unless explicitly enabled with a separate
ORACLE_ENABLED=true flag.
Description
The
OracleService.handleIoTRequest()method responds toIoTDataRequestedblockchain events by callinggenerateMockIoTData(), which produces fabricated random temperature and humidity readings using a weighted random number generator — completely disconnected from any real IoT sensor. This fake data is then submitted to the blockchain viafulfillIoTData()and stored permanently. The oracle service auto-starts in production (seeserver.jslines 256-260).Affected Code
backend/services/oracleService.js, lines 131-179:handleIoTRequest()(line 131) — triggered by real blockchain eventsgenerateMockIoTData()(line 155) — produces fake temp/humidity withMath.random()fulfillIoTData()(line 181) — writes fake data to the immutable ledgerisSpoiledflag when temp > 80°F or < 32°F based on fake readingsImpact
isSpoiled, causing real financial loss and triggering unnecessary recalls.Suggested Fix
generateMockIoTData()entirely — it should never run outside a local test environment.if (process.env.NODE_ENV === "production") throw new Error(...)guard.ORACLE_ENABLED=trueflag.