Msg.sender is set instead of the address of the charityRegistry contract
Summary
msg.sender is set as the registry in the constructor instead of the address of the CharityRegistry
Vulnerability Details
In the GivingThanks constructor, msg.sender was set as the registry instead of the address of the CharityRegistry contract. This affected the major functionality in the GivingThanks::donate() where the registry checks if a particular charity address is verified by the admin. the registry is set as msg.sender, therefore the GivingThanks::donate() function reverts.
Impact
The GivingThanks::Donate() function reverts, which means no eth can be sent by a donor to a verified charity.
Tools Used
foundry, manual analysis
Recommendations
change the CharityRegistry parameter in the GivingThanks constructor from msg.sender to the appropriate registry paramter.
Lead Judging Commences
finding-bad-registry-set-at-construction
Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.