Unrestricted Registry Update Allows Unauthorized Users to Modify the Trusted Charity Registry.
Summary
The updateRegistry function in the GivingThanks contract allows any user to modify the charity registry address without restriction. This vulnerability will allow unauthorized users to change the trusted registry, thereby redirecting donations to unverified addresses.
Vulnerability Details
The updateRegistry function currently lacks an access control mechanism to limit who can call it. As a result, any user can change the registry variable to another address. By updating the registry address, a malicious user could redirect donations intended for verified charities to an attacker-controlled address, hence compromising the integrity of the donation system.
Impact
As the updateRegistry function is currently without restrictions, it creates a critical security risk because unauthorized users are allowed to set the registry address. If exploited, attackers could divert funds to unverified or malicious addresses, and in doing so, break the trust in the platform and potentially cause significant financial losses for donors and charities.
Tools Used
Manual Code Review
Recommendations
Restrict access to the updateRegistry function, allowing only the contract’s owner or admin to call it by using OpenZeppelin's Ownable modifier (onlyOwner). This will ensure that only authorized addresses can change the registry address.
Lead Judging Commences
finding-anyone-can-change-registry
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.