GivingThanks

Summary

A bug was identified in the constructor of CharityRegistry. The constructor incorrectly set the CharityRegistry instance to the address of the deployer (msg.sender) instead of the intended CharityRegistry contract address passed as an argument (_registry). This would cause function calls meant for the CharityRegistry to fail, as the deployer address is an externally owned account (EOA) and not a contract.

Vulnerability Details

In the constructor code, the GivingThanks::registry variable, intended to store a reference to the CharityRegistry contract, was set to CharityRegistry(msg.sender). Since msg.sender represents the address deploying the contract, this line incorrectly pointed the registry to the deployer's address rather than the CharityRegistry contract address. This would lead to errors when attempting to call contract functions on the deployer address, which does not support contract interactions.

Impact

The impact of this vulnerability is critical, as it would prevent the GivingThanks contract from correctly interacting with the CharityRegistry. Since the GivingThanks::registry was set to an EOA, any attempt to use registry for functions related to CharityRegistry would fail. This would likely break core functionalities, such as donations to charities.

Tools Used

This bug was identified through manual review of the constructor code.

Recommendations

To fix this issue, the constructor should use the _registry parameter (which is explicitly passed in as the CharityRegistry contract address) instead of msg.sender. This modification ensures that the correct contract address is assigned to registry.

Original code:

Modified code: