Lack of `Access Control` on `updateRegistry`
Summary
In the code below, the updateRegistry function is public and lacks access control, allowing anyone to call it:
https://github.com/Cyfrin/2024-11-giving-thanks/blob/main/src/GivingThanks.sol#L56-L59
Vulnerability Details
In the GivingThanks contract, there is a function for updating the registry address that lists charities, as shown in the code below:
In this code, anyone can call updateRegistry and change the registry to their preferred registry, potentially one they own.
Impact
-
Since only one registry of charities can be set at a time in the GivingThanks contract, allowing anyone to alter this registry undermines the contract’s intended purpose.
-
This vulnerability enables any user to replace the verified charities list with their own.
The likelihood of this function being called by others is high.
Tools Used
Remix, Manual Review, Slither, Aderyn
Recommendations
To address this, add ownership verification within the function, either through explicit code or by using OpenZeppelin’s onlyOwner modifier.
Implementing Ownership Control:
OpenZeppelin:
Lead Judging Commences
finding-anyone-can-change-registry
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.