The GivingThanks::updateRegistry
function currently lacks access control, allowing any user to modify the registry
address. Without restrictions, a malicious user could replace the registry
with an unauthorized or malicious address. This could compromise the protocol, as functions such as donate
depend on verified charity addresses from the registry
. If the registry
points to an unauthorized address, critical operations will revert due to unverified charity addresses, rendering the protocol inoperable.
This vulnerability allows unauthorized users to alter the registry
address, potentially redirecting it to a malicious contract and making the protocol unusable. The integrity and functionality of the protocol are compromised, as legitimate donate
transactions would fail when the registry
points to an unverified address.
Implement an access control check in the updateRegistry
function to restrict updates to the contract owner only
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.