No access control on `GivingThanks ::updateRegistry` function.
Summary
There is no admin control check on GivingThanks::updateRegistry function, allowing anyone to update the CharityRegistry address which can lead to denial of service (DOS).
Vulnerability Details
The updateRegistry function enables updating the CharityRegistry contract address without any access control checks, allowing any external address to call this function and alter the registry affecting this state variable.
Which in turn could lead the GIvingThanks:donate function to fail and be unusable and denies the original intent. This absence of restriction can result in the registry being pointed to a malicious contract address, affecting trust and security.
Impact
An attacker could update the CharityRegistry which leads to users not being able to make donations to their desired charity which severely disrupts the original intention of whole product.
Tools Used
Manual review.
Recommendations
Minimal security for this function would be to a require statement which chicks for msg.sender to be the owner of the contract.
Lead Judging Commences
finding-isVerified-return-registered-charities
Likelyhood: High, the function returns registered charities instead of verified ones. Impact: High, Any charities can be registered by anyone and will be declared as verified by this function bypassing verification.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.