GivingThanks

Summary

The attacker can register their own address as the charitable organization and then perform a self-transfer by donating to the organization, effectively receiving a specific minted NFT for free.

Vulnerability Details

Vulnerability code source:
https://github.com/Cyfrin/2024-11-giving-thanks/blob/304812abfc16df934249ecd4cd8dea38568a625d/src/GivingThanks.sol#L21-L23

There is no check to verify whether the charitable organization's address is the same as the donor's address, which allows attackers to mint specific NFTs for free. In other words, the registration requirements for a charitable organization are too lenient — only the admin's approval is needed. This creates a situation where an attacker can effectively perform a self-transfer, resulting in the acquisition of more NFTs.

Impact

The attacker can disguise their own address as a charitable organization, obtain the admin's confirmation, and then call the donate function, passing their own address as the charitable organization's address. This allows the attacker to donate tokens and receive a specific NFT. If the attacker repeats the donation multiple times, it will lead to the minting of many NFTs, resulting in resource wastage and potentially the destruction of NFTs. If possible, the attacker may also sell the NFTs, gaining illegal profits.If this vulnerability is exploited by an attacker, it would undermine the reward mechanism for donors, allowing malicious individuals who haven't donated to also receive specific NFTs.

Tools Used

Manual review.

Recommendations

Add a require condition to check if the charitable organization's address is the same as the donor's address. If they are the same, prevent the donation from being processed.