GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Wrong parameter used makes `GivingThanks` contract unusable

adamn

Summary

GivingThankscontract use external contract CharityRegistry. Deployer of the contract should place address of the CharityRegistercontract as an input.

Vulnerability Details

In the constructor, there is a mistake which do not allow to use external contract. As a parameter of registry = CharityRegistry(...) there should be address of CharityRegistry which is input of constructor instead of msg.senderaddress.

constructor(address _registry) ERC721("DonationReceipt", "DRC") {
// @audit wrong address
registry = CharityRegistry(msg.sender);
owner = msg.sender;
tokenCounter = 0;
}

Impact

GivingThanks contract will lose functionality. For example users won't be able to donate beacuse it will be impossible to check if charity is verified.

Tools Used

Manual Review

Recommendations

constructor(address _registry) ERC721("DonationReceipt", "DRC") {
- registry = CharityRegistry(msg.sender);
+ registry = CharityRegistry(_registry);
owner = msg.sender;
tokenCounter = 0;
}
Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-bad-registry-set-at-construction

Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.