GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

No Validation Against EOA Charities

sauronsol

Summary

The contract allows External Owned Accounts (EOAs) to be registered as charities, bypassing the intended requirement for charities to be smart contracts with proper logic and controls.

Vulnerability Details

function registerCharity(address charity) public {
registeredCharities[charity] = true; // No check if charity is contract
}
function donate(address charity) public payable {
require(registry.isVerified(charity), "Charity not verified");
(bool sent,) = charity.call{value: msg.value}(""); // Can send to EOA
}

Test proving vulnerability:

function testDonateToEOA() public {
address payable eoa = payable(makeAddr("eoa"));
vm.startPrank(admin);
registryContract.registerCharity(address(eoa));
registryContract.verifyCharity(address(eoa));
vm.stopPrank();
charityContract.updateRegistry(address(registryContract));
vm.deal(address(this), 1 ether);
charityContract.donate{value: 1 ether}(address(eoa));
assertEq(eoa.balance, 1 ether); // Proves EOA received funds
}

Impact

MEDIUM - Because:

  • Funds can be sent to personal wallets

  • Bypasses charity contract verification

  • No guarantee of charitable use

  • Loss of funds control

Tools Used

  • Manual code review

  • Foundry testing framework

  • EOA simulation tests

Recommendations

function registerCharity(address charity) public {
require(charity.code.length > 0, "Must be contract");
require(ICharity(charity).isCharity(), "Must implement charity interface");
registeredCharities[charity] = true;
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.