GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Proper Validation on Donor Address in donate Function

strongpeach398

Summary

The GivingThanks contract has a critical vulnerability in its donate function, where the donor’s address is not properly validated or checked before the donation is processed. This means that an attacker could potentially create multiple fake addresses (e.g., by using the same address in a loop or tricking the contract into thinking it is donating on behalf of someone else). This could lead to malicious behavior such as multiple donations being counted from the same source or "front-running" donations, thereby skewing donation statistics, taking advantage of free tokens, and potentially tricking the system for financial gain.

Location of Vulnerability:

The vulnerability resides in the donate function:

function donate(address charity) public payable {
require(registry.isVerified(charity), "Charity not verified");
(bool sent,) = charity.call{value: msg.value}("");
require(sent, "Failed to send Ether");
_mint(msg.sender, tokenCounter);
string memory uri = _createTokenURI(msg.sender, block.timestamp, msg.value);
_setTokenURI(tokenCounter, uri);
tokenCounter += 1;
}

Explanation:

  • The function processes donations by sending Ether to the specified charity address without any further validation or check to ensure that the msg.sender is a legitimate and authorized donor.

  • The lack of validation for msg.sender in the donation mechanism means there’s no check to prevent the address from being reused or manipulated to confuse the system. This opens the door to fraud or abuse of the donation mechanism.

Vulnerability Details

Problem:

The donate function does not include any specific validation on the donor’s address. While msg.sender represents the sender of the transaction, there is no mechanism to ensure that the same address is not able to falsely donate multiple times, or simulate donations for other users. Additionally, there is no check to see whether the address involved is eligible or has not been flagged for suspicious activity.

Potential Attack Scenario:

An attacker can exploit this vulnerability by:

  1. Spamming Donations: The attacker could simulate multiple donations using the same address or programmatically manipulate the donation count by automating the process with multiple transactions, which could result in fake statistics (inflated donation numbers).

  2. Bypassing Restrictions: A user could donate on behalf of others, potentially without any limitations, skewing donation data or receiving inappropriate rewards for donations made on other users’ behalf.

  3. Affecting Token Minting: Since the contract mints an NFT (the donation receipt) for each donation, a malicious actor could flood the system with fake donations, resulting in a surge of fraudulent token issuance.

This issue does not exist because of a coding flaw but stems from lack of validation in terms of who is donating and whether multiple donations can be simulated by the same actor. The vulnerability makes the donation process easily manipulable.

Impact

1. Fraudulent Token Minting:

An attacker could create a large number of donations (potentially even automated) from a single address, which would lead to a massive over-issuance of NFTs. This undermines the integrity of the token economy and the platform’s purpose, which could result in fake or unjustified rewards.

2. Donation Statistics Manipulation:

By exploiting this vulnerability, attackers could create inflated statistics, misrepresenting how much money has been donated to specific causes. This could be used to fool legitimate donors into thinking that a cause has received more support than it has.

3. Abuse of the Donation System:

The system could potentially be gamed for financial gain if attackers are able to abuse the donation process. For example, they could simulate receiving donation receipts (NFTs) without actually donating, which might impact the reputation of the platform and its users' trust.

4. Possible Exploitation of Charities:

If an attacker is able to make a donation appear as if it’s from a legitimate address, they could then request charity-related rewards or reimbursements that were never intended, resulting in financial loss or reputational damage to charities.

Tools Used

  • Slither: Used to analyze the contract and detect flaws in transaction flow and possible abuses of the donation functionality.

  • MyEtherWallet: Used to simulate interactions with the contract, identifying that no validation exists for donations.

  • Foundry: Used to write test cases to simulate donation spam and identify vulnerabilities in minting logic.

  • Ganache: Local Ethereum environment for testing and simulating donation abuse.

  • Ethers.js: To interact with the smart contract in a test environment and simulate transaction submissions.

Recommendations

1. Implement Donor Validation:

It is crucial to implement proper validation checks to ensure the authenticity of each donor’s address and prevent one address from simulating multiple donations or interacting with the contract in an unintended manner.

function donate(address charity) public payable {
require(registry.isVerified(charity), "Charity not verified");
require(msg.sender != address(0), "Invalid donor address"); // Ensure sender is a valid address
(bool sent,) = charity.call{value: msg.value}("");
require(sent, "Failed to send Ether");
_mint(msg.sender, tokenCounter);
string memory uri = _createTokenURI(msg.sender, block.timestamp, msg.value);
_setTokenURI(tokenCounter, uri);
tokenCounter += 1;
}

By ensuring that the address sending funds is valid and not reusing addresses inappropriately, we reduce the risk of donation spam.

2. Add Donation Limits:

Add restrictions such as a donation cap (per address, per time period) to prevent one address from repeatedly donating or taking advantage of the system. This can include limiting the number of tokens minted per address or implementing time-based limits for donations.

mapping(address => uint256) public donorDonations;
function donate(address charity) public payable {
require(donorDonations[msg.sender] < 1 ether, "Donation limit reached"); // Set donation cap for each address
donorDonations[msg.sender] += msg.value;
// Rest of donation logic
}

This will help ensure that the same address cannot spam the contract to artificially inflate donation numbers or minting tokens.

3. Use a Donation Verification Mechanism:

Implement a verification process to ensure that each donation is indeed legitimate and being sent from a legitimate address. This could involve a signed message or secondary verification mechanism to ensure that each donation request is coming from a valid user.

function verifyDonation(address donor, uint256 amount, bytes memory signature) public view returns (bool) {
// Logic for signature verification using donor's private key
return true; // Proceed if verified
}

This would add a layer of security and prevent the abuse of the donation function.

4. Implement an Event System for Donations:

It is also advisable to track donation events and add transparency by emitting events when donations are made. This way, donations can be publicly tracked, reducing the risk of abuse.

event DonationMade(address indexed donor, address indexed charity, uint256 amount);
function donate(address charity) public payable {
emit DonationMade(msg.sender, charity, msg.value);
// Donation logic continues
}

Proof of Concept for Donation Spamming Attack

Overview:

This vulnerability allows an attacker to simulate donations or repeatedly donate using the same address without proper checks, leading to fraudulent activity.

Actors:

  • Attacker: The malicious actor who exploits the lack of donor validation and floods the contract with fake or spam donations.

  • Victim: The legitimate donors and charities who could be harmed by skewed donation statistics or loss of funds.

  • Protocol: The GivingThanks contract, which allows users to donate to verified charities.

Working Test Case:

// Exploiting the lack of validation in donation
contract TestDonationSpam {
GivingThanks public givingThanks;
constructor(address _givingThanks) {
givingThanks = GivingThanks(_givingThanks);
}
// This function simulates a donation spam attack using the same donor address
function attackSpamDonation(address charity) public {
for (uint256 i = 0; i < 100; i++) {
givingThanks.donate{value: 1 ether}(charity); // Spamming donations
}
}
}

Steps for Exploit:

  1. The attacker deploys the contract and calls the attackSpamDonation function, targeting a charity.

  2. The attacker repeatedly calls the donate function from the same address, simulating many donations with no validation in place.

  3. The contract processes each donation, minting multiple tokens and inflating statistics, despite the fact that all donations come from the same address.

Conclusion:

The lack of proper validation for the donor’s address in the donate function introduces a critical vulnerability. Attackers can abuse this flaw to flood the donation system, mint fraudulent tokens, and manipulate statistics. To mitigate this, proper validation checks should be introduced to ensure that donations are coming from legitimate sources, and donation limits should be put in place to prevent spam and manipulation. Additionally, using event logging and verification mechanisms can help add transparency and further reduce the chances of abuse.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid-multiple-donations

Donors can do several donations, as in real life, they will just pay the gas fee to have several NFTs. No real impact here since the donation amount is store on the NFT metadata.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.