[H-2] Fixing Unverified Charity Donations in GivingThanks.sol: Resolving a Verification Bypass Bug in CharityRegistry.sol
Summary
A bug was found in the CharityRegistry.sol contract, which impacted the GivingThanks.sol contract. In GivingThanks.sol, there’s a function called GivingThanks::donate that should only allow donations to charities that have been verified. Due to an issue in the CharityRegistry.sol contract, GivingThanks::donate allowed donations to any charity that was registered, which might not been verified.
Vulnerability Details
Problem Location:
CharityRegistry.solFunction Affected in GivingThanks.sol:
donate(address charity)
In CharityRegistry.sol, the CharityRegistry::isVerified function was supposed to check if a charity was verified. Instead, it was checking if the charity was simply registered. This allowed donations to go to unverified charities, which could be exploited by anyone who registered a charity and hasn't got verification from the admin.
Impact
Because of this bug, donations could be sent to unverified charities, potentially allowing funds to go to charities that hadn’t been verified. This could lead to donations being misused by untrustworthy parties.
Tools Used
Manual code review
Testing with various charity statuses (registered, verified) to find the issue
Recommendations
Fix the
CharityRegistry::isVerifiedFunction: Update theisVerifiedfunction inCharityRegistry.solto check for verified charities, not the registered ones.
Original Code:
Fixed Code:
Lead Judging Commences
finding-isVerified-return-registered-charities
Likelyhood: High, the function returns registered charities instead of verified ones. Impact: High, Any charities can be registered by anyone and will be declared as verified by this function bypassing verification.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.