GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Ownable Initialization in GivingThanks Contract

bryanconquer

Summary

The GivingThanks contract was originally implemented without leveraging OpenZeppelin's Ownable contract for ownership management. Instead, it manually defined address public owner and set owner = msg.sender in the constructor. This approach was intended to restrict certain functionalities to the contract owner but lacked the robustness of the Ownable contract provided by OpenZeppelin.

Vulnerability Details

The contract initially declared address public owner; and set owner = msg.sender; in the constructor.

  • It did not use OpenZeppelin's Ownable contract, leading to a lack of standard ownership modifiers like onlyOwner.

You don't need to set owner = msg.sender; manually if you inherit from Ownable because the Ownable constructor already sets the owner to the deployer's address.

contract GivingThanks is ERC721URIStorage

Impact

Missing onlyOwner modifier for functions that should be restricted.

The contract fails to enforce the correct access control, leading to potential misuse.

Tools Used

Manual Review

Recommendations

Changed the contract definition

contract GivingThanks is ERC721URIStorage, Ownable {}
Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.