Anyone can modify the registry.
Summary
Anyone can modify the registry, leading to a shift in power, which could allow attackers to freely register charitable organizations.
Vulnerability Details
The source of the vulnerability code:
https://github.com/Cyfrin/2024-11-giving-thanks/blob/304812abfc16df934249ecd4cd8dea38568a625d/src/GivingThanks.sol#L56-L58
Detailed vulnerability code.
This function is public, meaning anyone can modify the registry. In other words, an attacker could register themselves as the registry and then provide the address of a charitable organization to register it. Only the admin is supposed to confirm the registration, but since the attacker has now become the admin, this creates a vulnerability that could be exploited for uncontrollable attacks.
Impact
An attacker can call the updateRegistry public function, passing their own address as a parameter to change the registry. Then, by calling the donate function again, the attacker could either pass their own address or another address, allowing them to illegally receive donated tokens and engage in malicious fundraising.
Tools Used
Manual review.
Recommendations
Add a require condition in theupdateRegistryfunction to restrict who can modify the registry.
Lead Judging Commences
finding-anyone-can-change-registry
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.