GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of Access Control in updateRegistry Function

bryanconquer

Summary

The updateRegistry function in the GivingThanks contract is vulnerable due to a lack of access control. Currently, anyone can call this function to update the registry address, potentially redirecting it to a malicious contract. This can lead to unauthorized changes in the behavior of the contract, especially if the registry contract is used for critical validations like charity verifications.

Vulnerability Details

Missing access control, allowing any user to update the registry address.

function updateRegistry(address _registry) public {
registry = CharityRegistry(_registry);
}

Impact

Unauthorized Access: Any user can change the registry address, which could redirect the contract's logic to interact with a malicious CharityRegistry contract.

  • Potential Exploits: Attackers could deploy a fake CharityRegistry contract, verify unauthorized charities, and exploit the GivingThanks contract by minting tokens or manipulating charity verification statuses.

Tools Used

manual review

Recommendations

restrict access to the updateRegistry function by adding an onlyOwner modifier. This will ensure that only the contract owner can update the registry address.

modifier onlyOwner() {
require(msg.sender == owner, "Caller is not the owner");
_;
}
function updateRegistry(address _registry) public onlyOwner {
registry = CharityRegistry(_registry);
}
Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.