Submission Details
Severity:
The constructor of `GivingThanks` is incorrectly initializing `registry` with `msg.sender`, making the following call to `registry` fail
Summary
The constructor of GivingThanks contract is incorrectly initializing registry with msg.sender. This makes the following call to registry fail.
Vulnerability Details
constructor(address _registry) ERC721("DonationReceipt", "DRC") {
@> registry = CharityRegistry(msg.sender);
owner = msg.sender;
tokenCounter = 0;
}
Impact
The latter calls registry.isVerified in the donate function will fail, causing the whole contract malfunction.
Recommendations
constructor(address _registry) ERC721("DonationReceipt", "DRC") {
@> registry = CharityRegistry(_registry);
owner = msg.sender;
tokenCounter = 0;
}
Updates
Lead Judging Commences
n0kto 12 months ago
Submission Judgement Published Assigned finding tags:
finding-bad-registry-set-at-construction
Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.
Rewards breakdown
nSLOC
67This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.