The GivingThanks
contract’s constructor mistakenly assigns the deployer's address (msg.sender
) to the registry
variable instead of the provided _registry
address. This misconfiguration causes the contract to fail when attempting to verify a charity through the donate
function, resulting in reverted transactions and making the donation functionality unusable.
In the GivingThanks
contract’s constructor, the registry
variable is set using msg.sender
rather than the _registry
parameter. Consequently, instead of pointing to the deployed CharityRegistry
contract, registry
holds the deployer’s address.
This misconfiguration leads to failed charity verification in the donate
function, as the isVerified
check calls the incorrect address (the deployer’s address) instead of the CharityRegistry
contract. As a result, all attempts to donate revert, rendering the core functionality of the contract unusable.
Without access to the actual CharityRegistry
contract, the GivingThanks
contract cannot verify charities, leading to reverted transactions for all donation attempts. This issue effectively breaks the donation feature, preventing donors from contributing to charities.
Manual review, unit tests.
Modify the constructor to properly assign the registry
variable using the _registry
parameter instead of msg.sender
:
By using _registry
, the GivingThanks
contract correctly references the deployed CharityRegistry
contract, allowing charity verification to function as intended.
Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.