Lack of Validation for charity Address in donate Function, Risking Fund Misdirection
Summary
The donate function in the GivingThanks contract does not validate whether the charity address is valid (e.g., not set to address(0)), which could lead to accidental fund transfers to an invalid address. Without verifying that the charity address is legitimate, there is a risk that donors may send funds to unintended or incorrect destinations, resulting in a loss of funds.
Vulnerability Details
When a donor calls the donate function, they specify a charity address that receives the donation amount. However, the function does not check whether the provided charity address is non-zero and valid. If address(0) or an incorrect address is provided, the donation could be unintentionally sent to an unusable or unintended destination, making it irrecoverable. Solidity best practices advise validating critical addresses before sending funds to avoid unintended fund misdirection.
Impact
The absence of address validation could lead to donors unintentionally sending funds to invalid or unintended addresses. This could result in irrecoverable losses, reducing user trust in the contract's reliability and safety for donations.
Tools Used
Manual Review
Foundry
Recommendations
Add Address Validation for charity: Introduce a requirement to validate that the charity address is not address(0) before executing the Ether transfer:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.