Incorrect initialization of registry in `GivingThanks` constructor causes charity verification failure
Summary
In the GivingThanks contract, the registry variable is improperly initialized in constructor. Instead of using _registry parameter passed to the constructor to set the registry variable, it incorrectly uses msg.sender.
Vulnerability Details
By setting registry = CharityRegistry(msg.sender);, the registry variable is assigned to the deployer of the contract instead of the intended CharityRegistrycontract. This breaks the intended functionality of the protocol making the protocol unusable.
Tools Used
Manual code review
Recommendations
Assign the _registry parameter passed in the constructor to the instance of the CharityRegistry contract.
Lead Judging Commences
finding-bad-registry-set-at-construction
Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.