The updateRegistry
function in the GivingThanks
smart contract is missing an authorization check, allowing any user to change the address of the registry
contract. This could lead to unauthorized modifications that may compromise the security and functionality of the contract, as the registry is used to verify charities eligible for donations.
The updateRegistry
function is a public function that allows modification of the registry
contract address. Without an access control mechanism, such as an onlyOwner
modifier, any user can call this function and set the registry
to a malicious or arbitrary address. This change could allow unverified or malicious entities to bypass verification requirements, receive funds, or disrupt legitimate charity donations by pointing to an incorrect registry.
For example, any user could call:
This would replace the current registry with a potentially malicious registry contract, thereby allowing unauthorized or unverified addresses to receive donations.
Allowing unauthorized updates to the registry
contract could compromise the entire donation verification process. This may lead to unauthorized recipients receiving funds, loss of trust from donors, and potential exploitation of the platform’s funds.
Manual review.
Restrict access to the updateRegistry
function by implementing an authorization check, such as using OpenZeppelin’s onlyOwner
modifier, to ensure that only the contract owner or an authorized admin can modify the registry address. This will prevent unauthorized users from updating critical contract state and ensure only verified charities are eligible for donations.
Example code update:
Copy code
Adding the onlyOwner
modifier restricts access to this function, allowing only the owner (or an authorized entity) to make updates, thus maintaining the security and integrity of the contract’s registry.
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.