possible donations to registered but not verified addresses
Summary
The aim of the project is to allow donors donate funds to registered and verified charitable causes through their wallets but this is not completely the case as it is possible for donors to donate to registered but not verified addresses.
Vulnerability Details
The isVerified function is expected to check if the address for the charity cause is verified by the admin but it is checking if the address is registered as seen in line 24 of the CharityRegistry.sol:
The mapping registeredCharities maps charity cause addresses to bool, to determine if they are registered or not. And The registerCharity function is a public function that can be called by anyone. Charitable causes interested in getting donations are expected to be users of this function.
Impact
This paves way for charity causes that are registered but have not been verified by the admin to receive donations from donors as the flawed isVerified function was used in GivingThanks.sol contract to check that only registered and verified addresses are eligible to receive donations.
Tools Used
Manual Review
Recommendations
The isVerified function should be modified so it actually check for verified addresses:
Lead Judging Commences
finding-isVerified-return-registered-charities
Likelyhood: High, the function returns registered charities instead of verified ones. Impact: High, Any charities can be registered by anyone and will be declared as verified by this function bypassing verification.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.