GivingThanks

First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Bug Report: updateRegistry Function in GivingThanks.sol Allows Unrestricted Access to Change CharityRegistry Address

Summary:
The updateRegistry function in GivingThanks.sol does not have any access control, allowing anyone (including unauthorized users) to change the registry contract address. This opens up the possibility for an attacker to replace the legitimate CharityRegistry contract with a malicious contract, potentially bypassing the charity verification logic and affecting the contract’s integrity. The test fails because the attacker is able to update the registry contract address successfully.

Vulnerability Details:
Affected Contract:

  • GivingThanks.sol

Affected Function:

  • updateRegistry(address _registry) public

Issue: In the current implementation of the updateRegistry function, there is no restriction on who can call this function. As a result, an attacker can change the registry address to any address of their choice, potentially a malicious contract that manipulates the charity verification logic.

function updateRegistry(address _registry) public {
registry = CharityRegistry(_registry);
}

Impact:

Severity: High

The lack of access control in updateRegistry means that:

  • Unauthorized Users Can Modify Critical Logic: Any user can replace the CharityRegistry contract with another one, including malicious ones.

  • Bypassing Charity Verification: If an attacker sets the registry address to a malicious contract, subsequent donations or verifications could be processed by the attacker’s contract, effectively bypassing any verification checks or altering contract state.

  • Potential Malicious Exploitation: The attacker could alter the registry logic, enabling them to manipulate donations or other key processes in the GivingThanks contract, leading to potential financial loss or unauthorized actions

Proof of Code: Test Code Showing Unrestricted Access:

function testGivingThanksUpdateRegistryNotProtected() public {
address oldRegistryAddress = address(charityContract.registry());
address attackerAddress = makeAddr("attackerAddress");
vm.startPrank(attackerAddress);
charityContract.updateRegistry(attackerAddress); // Attacker updates the registry
vm.stopPrank();
address updatedRegistryAddress = address(charityContract.registry());
assertNotEq(oldRegistryAddress, updatedRegistryAddress); // Test fails as the registry is updated by the attacker
}

In this test case:

  • The attacker successfully updates the registry address, which is not expected since the test assumes the registry should remain unchanged.

  • This happens because the updateRegistry function lacks any access control to restrict who can call it.

Tools Used:

  • Manual code review

  • Foundry

Recommendations:
To secure the contract and prevent unauthorized users from updating the registry contract, you should add an access control modifier to the updateRegistry function. For example, you could restrict access to the contract's owner or a trusted entity using the onlyOwner modifier (or any other role-based access control mechanism depending on your requirements):

modifier onlyOwner() {
require(msg.sender == owner, "Not contract owner");
_;
}
function updateRegistry(address _registry) public onlyOwner {
registry = CharityRegistry(_registry);
}
  • onlyOwner: This modifier ensures that only the owner of the contract (or an authorized address) can update the registry contract address. The contract will no longer be vulnerable to unauthorized changes.

By adding access control, only trusted parties (like the contract owner) can modify the registry address, securing the GivingThanks contract from potential exploitation.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.