Submission Details
Severity:
No Access Control on Registration in `CharityRegistry::registerCharity()` function
Description: The CharityRegistry::registerCharity() function lacks access controls, allowing any address to register any other address as a charity. This is a critical security flaw that could lead to widespread abuse.
function registerCharity(address charity) public {
registeredCharities[charity] = true;
}
Impact:
Malicious actors can register unlimited fake charities
No validation of charity legitimacy
Could lead to phishing attacks through fake charity registrations
Undermines the credibility of the entire registry
Proof of Concept:
function testUnauthorizedRegistration() public {
address malicious1 = address(0x1);
address malicious2 = address(0x2);
vm.prank(malicious1);
registry.registerCharity(malicious2);
assertTrue(registry.registeredCharities(malicious2));
}
Recommended Mitigation: Add appropriate access controls or requirements for registration
modifier onlyAdmin() {
require(msg.sender == admin, "Only admin can perform this action");
_;
}
function registerCharity(address charity) public onlyAdmin {
require(charity != address(0), "Invalid charity address");
registeredCharities[charity] = true;
emit CharityRegistered(charity);
}
Rewards breakdown
nSLOC
67This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.