Submission Details
Severity:
`CharityRegistry:isVerified` returns wrong value
**Description:** The `CharityRegistry:isVerified` should return `verifiedCharities` instead of `registeredCharities`.
```javascript
function isVerified(address charity) public view returns (bool) {
@> return registeredCharities[charity];
}
```
**Impact:** The `registeredCharities` can be added by any user, without being verified by the admin, making `isVerified` function easy to bypass.
donor can set himself as a registeredCharity and donate to himself to get free NFTs.
**Proof of Concept:**
Note: need to fix the registry wrong param first
```diff
constructor(address _registry) ERC721("DonationReceipt", "DRC") {
// @audit-high: wrong param pass in, should be _registry instead of msg.sender
- registry = CharityRegistry(msg.sender);
+ registry = CharityRegistry(_registry);
owner = msg.sender;
tokenCounter = 0;
}
```
then place the following into `GivingThanks.t.sol`.
```javascript
function testGetNFTForFree() public {
vm.deal(donor, 10 ether);
vm.startPrank(donor);
uint256 initBalance = donor.balance;
registryContract.registerCharity(donor);
// donor is not verified by admin, but can bypass isVerified check
assertEq(registryContract.isVerified(donor), true);
charityContractFix.donate{value: 1 ether}(donor);
assertEq(charityContractFix.ownerOf(0), donor);
assertEq(donor.balance, initBalance);
vm.stopPrank();
}
```
donor can mint free NFT with only gas fee cost.
**Recommended Mitigation:**
In `CharityRegistry.sol`
```diff
function isVerified(address charity) public view returns (bool) {
- return registeredCharities[charity];
+ return verifiedCharities[charity];
}
```
Updates
Lead Judging Commences
n0kto 12 months ago
Submission Judgement Published Assigned finding tags:
finding-isVerified-return-registered-charities
Likelyhood: High, the function returns registered charities instead of verified ones. Impact: High, Any charities can be registered by anyone and will be declared as verified by this function bypassing verification.
Rewards breakdown
nSLOC
67This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.