Incorrect Charity Verification Check Allows Unverified Charities to Receive Donations.
Summary
The isVerified function in the CharityRegistry contract incorrectly validates whether a charity is verified by checking the registeredCharities mapping instead of checking the verifiedCharities mapping. This error results in the function confirming registration status instead of the verification status, which will mislead the GivingThanks contract to accept unverified charities as eligible for donations.
Vulnerability Details
The isVerified function should check if a charity is verified, but instead, it checks the registration status in the registeredCharities mapping. Since the GivingThanks contract relies on the isVerified function to verify charities before allowing donations, this incorrect validation allows unverified charities to be considered valid donation recipients.:
Impact
This vulnerability renders the charity verification process useless as an unverified charity could bypass the security checks intended to safeguard donor contributions. Donors may unknowingly send funds to these unverified or potentially malicious charities, thereby reducing trust in the platform and its security measures.
Tools Used
Manual code review.
Recommendations
Update the isVerified function to correctly validate by checking the verifiedCharities mapping instead of the registeredCharities mapping:
Lead Judging Commences
finding-isVerified-return-registered-charities
Likelyhood: High, the function returns registered charities instead of verified ones. Impact: High, Any charities can be registered by anyone and will be declared as verified by this function bypassing verification.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.