Faulty constructor in GivingThanks contract
Summary
GivingThanks contract erroneously passes msg.sender into the CharityRegistry contracts constructor, which itself does not take any parameters in reality.
Vulnerability Details
GivingThanks::constructor function attempts to assign the deployer's address as the registry contract while the passed address ``_registry param suggests_ _that the intention was to pass the address _registry, not msg.sender.
Impact
Registry Not Set Properly: This line should be setting the registry variable to a valid deployed CharityRegistry contract, but instead, it's setting it to the address of the deployer. As a result, registry will not be a valid CharityRegistry instance, and any subsequent interactions with it (e.g., calling isVerified, registerCharity, etc.) will fail or behave unexpectedly.
Misleading Contract Behavior: This line gives the impression that the contract is interacting with a CharityRegistry, but in reality, it is only using the deployer's address, which does not have the expected functionality. This could cause issues when interacting with the GivingThanks contract in the future.
Tools Used
Manual review
Recommendations
Pass the address _registry, NOT msg.sender in the constructor
Lead Judging Commences
finding-bad-registry-set-at-construction
Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.