The GivingThanks
contract has a critical vulnerability in its donate
function, where the donor’s address is not properly validated or checked before the donation is processed. This means that an attacker could potentially create multiple fake addresses (e.g., by using the same address in a loop or tricking the contract into thinking it is donating on behalf of someone else). This could lead to malicious behavior such as multiple donations being counted from the same source or "front-running" donations, thereby skewing donation statistics, taking advantage of free tokens, and potentially tricking the system for financial gain.
The vulnerability resides in the donate
function:
The function processes donations by sending Ether to the specified charity
address without any further validation or check to ensure that the msg.sender
is a legitimate and authorized donor.
The lack of validation for msg.sender
in the donation mechanism means there’s no check to prevent the address from being reused or manipulated to confuse the system. This opens the door to fraud or abuse of the donation mechanism.
The donate
function does not include any specific validation on the donor’s address. While msg.sender
represents the sender of the transaction, there is no mechanism to ensure that the same address is not able to falsely donate multiple times, or simulate donations for other users. Additionally, there is no check to see whether the address involved is eligible or has not been flagged for suspicious activity.
An attacker can exploit this vulnerability by:
Spamming Donations: The attacker could simulate multiple donations using the same address or programmatically manipulate the donation count by automating the process with multiple transactions, which could result in fake statistics (inflated donation numbers).
Bypassing Restrictions: A user could donate on behalf of others, potentially without any limitations, skewing donation data or receiving inappropriate rewards for donations made on other users’ behalf.
Affecting Token Minting: Since the contract mints an NFT (the donation receipt) for each donation, a malicious actor could flood the system with fake donations, resulting in a surge of fraudulent token issuance.
This issue does not exist because of a coding flaw but stems from lack of validation in terms of who is donating and whether multiple donations can be simulated by the same actor. The vulnerability makes the donation process easily manipulable.
An attacker could create a large number of donations (potentially even automated) from a single address, which would lead to a massive over-issuance of NFTs. This undermines the integrity of the token economy and the platform’s purpose, which could result in fake or unjustified rewards.
By exploiting this vulnerability, attackers could create inflated statistics, misrepresenting how much money has been donated to specific causes. This could be used to fool legitimate donors into thinking that a cause has received more support than it has.
The system could potentially be gamed for financial gain if attackers are able to abuse the donation process. For example, they could simulate receiving donation receipts (NFTs) without actually donating, which might impact the reputation of the platform and its users' trust.
If an attacker is able to make a donation appear as if it’s from a legitimate address, they could then request charity-related rewards or reimbursements that were never intended, resulting in financial loss or reputational damage to charities.
Slither: Used to analyze the contract and detect flaws in transaction flow and possible abuses of the donation functionality.
MyEtherWallet: Used to simulate interactions with the contract, identifying that no validation exists for donations.
Foundry: Used to write test cases to simulate donation spam and identify vulnerabilities in minting logic.
Ganache: Local Ethereum environment for testing and simulating donation abuse.
Ethers.js: To interact with the smart contract in a test environment and simulate transaction submissions.
It is crucial to implement proper validation checks to ensure the authenticity of each donor’s address and prevent one address from simulating multiple donations or interacting with the contract in an unintended manner.
By ensuring that the address sending funds is valid and not reusing addresses inappropriately, we reduce the risk of donation spam.
Add restrictions such as a donation cap (per address, per time period) to prevent one address from repeatedly donating or taking advantage of the system. This can include limiting the number of tokens minted per address or implementing time-based limits for donations.
This will help ensure that the same address cannot spam the contract to artificially inflate donation numbers or minting tokens.
Implement a verification process to ensure that each donation is indeed legitimate and being sent from a legitimate address. This could involve a signed message or secondary verification mechanism to ensure that each donation request is coming from a valid user.
This would add a layer of security and prevent the abuse of the donation function.
It is also advisable to track donation events and add transparency by emitting events when donations are made. This way, donations can be publicly tracked, reducing the risk of abuse.
This vulnerability allows an attacker to simulate donations or repeatedly donate using the same address without proper checks, leading to fraudulent activity.
Attacker: The malicious actor who exploits the lack of donor validation and floods the contract with fake or spam donations.
Victim: The legitimate donors and charities who could be harmed by skewed donation statistics or loss of funds.
Protocol: The GivingThanks
contract, which allows users to donate to verified charities.
The attacker deploys the contract and calls the attackSpamDonation
function, targeting a charity.
The attacker repeatedly calls the donate
function from the same address, simulating many donations with no validation in place.
The contract processes each donation, minting multiple tokens and inflating statistics, despite the fact that all donations come from the same address.
The lack of proper validation for the donor’s address in the donate
function introduces a critical vulnerability. Attackers can abuse this flaw to flood the donation system, mint fraudulent tokens, and manipulate statistics. To mitigate this, proper validation checks should be introduced to ensure that donations are coming from legitimate sources, and donation limits should be put in place to prevent spam and manipulation. Additionally, using event logging and verification mechanisms can help add transparency and further reduce the chances of abuse.
Donors can do several donations, as in real life, they will just pay the gas fee to have several NFTs. No real impact here since the donation amount is store on the NFT metadata.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.