No access control for function GivingThanks::updateRegistry allows anyone to change CharityRegistry used by the contract
Summary
Anyone can change address of CharityRegistry used by the contract. This allows an attacker to control verification status of charities.
Vulnerability Details
Function GivingThanks::updateRegistry does not have any access control in place. Therefore anyone can call the function and change CharityRegistry address. After that the attacker can control verification statuses of charities.
Impact
An attacker can change CharityRegistry address and make so that only the attacker's charity will be verified whila all other charities will not be verified. After that only the attacker's charity can be donated to.
Tools Used
Manual review
Recommendations
Add permissions check to the function GivingThanks::updateRegistry as show below:
Lead Judging Commences
finding-anyone-can-change-registry
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.