GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

GivingThanks.updateRegistry(address _registry): no access control

k3ysk1lls

Summary

Anyone can change the address pointing to CharityRegistry using the GivingThanks.updateRegistry(address _registry) function.

Vulnerability Details

The function GivingThanks.updateRegistry(address _registry) changes the contract variable that points to CharityRegistry contract. There is no access control to this function, so anyone can change the address of the CharityRegistry contract at any time.

Impact

The CharityRegistry contract is responsible for the registration and verification of charities. Changing the contract by a rogue actor could result in unverified charities being able to receive donations from participants.

Tools Used

Use the following test function in the GivingThanks.t.sol test contract.

function testAnyoneCanUpdateRegistry() public {
address attacker = makeAddr("attacker");
address newRegistry = makeAddr("newRegistry");
vm.prank(attacker);
charityContract.updateRegistry(newRegistry);
assertEq(address(charityContract.registry()), newRegistry);
}

Recommendations

Correct charityContract.updateRegistry() function as follows:

function updateRegistry(address _registry) public {
+ require(msg.sender == owner, "Only owner update registry");
registry = CharityRegistry(_registry);
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.