Unauthorized Registry Address Update Vulnerability
Description
The GivingThanks::updateRegistry function currently lacks access control, allowing any user to modify the registry address. Without restrictions, a malicious user could replace the registry with an unauthorized or malicious address. This could compromise the protocol, as functions such as donate depend on verified charity addresses from the registry. If the registry points to an unauthorized address, critical operations will revert due to unverified charity addresses, rendering the protocol inoperable.
Impact
This vulnerability allows unauthorized users to alter the registry address, potentially redirecting it to a malicious contract and making the protocol unusable. The integrity and functionality of the protocol are compromised, as legitimate donate transactions would fail when the registry points to an unverified address.
Recommended Mitigation
Implement an access control check in the updateRegistry function to restrict updates to the contract owner only
Lead Judging Commences
finding-anyone-can-change-registry
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.