GivingThanks

First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Unauthorized Registry Address Update Vulnerability

Description

The GivingThanks::updateRegistry function currently lacks access control, allowing any user to modify the registry address. Without restrictions, a malicious user could replace the registry with an unauthorized or malicious address. This could compromise the protocol, as functions such as donate depend on verified charity addresses from the registry. If the registry points to an unauthorized address, critical operations will revert due to unverified charity addresses, rendering the protocol inoperable.

Impact

This vulnerability allows unauthorized users to alter the registry address, potentially redirecting it to a malicious contract and making the protocol unusable. The integrity and functionality of the protocol are compromised, as legitimate donate transactions would fail when the registry points to an unverified address.

Recommended Mitigation

Implement an access control check in the updateRegistry function to restrict updates to the contract owner only

function updateRegistry(address _registry) public {
+ require(msg.sender == owner, "Only owner can update registry");
registry = CharityRegistry(_registry);
}
Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.