GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of Access Control in `updateRegistry` Function

mo_

Description

The updateRegistry function allows any user to update the registry address without any access control. This poses a security risk as it can lead to unauthorized changes to the CharityRegistry contract address, potentially allowing malicious actors to manipulate the behavior of the GivingThanks contract.

Code Snippet

function updateRegistry(address _registry) public {//@audit no access control
registry = CharityRegistry(_registry);
}

Impact

  • Unauthorized Access: Any user can call this function and change the registry address, which could lead to the contract interacting with an unverified or malicious CharityRegistry.

Recommendation

Implement access control to restrict who can call the updateRegistry function. This can be done by using the onlyOwner modifier from the Ownable contract or implementing a custom access control mechanism.

Suggested Code Update

function updateRegistry(address _registry) public {
require (msg.sender==admin , "unauthorized call") ;
registry = CharityRegistry(_registry);
}
}

Conclusion

Adding access control to the updateRegistry function is crucial for maintaining the integrity and security of the GivingThanks contract. This change will help prevent unauthorized modifications to the CharityRegistry address.

Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.