Incorrect registry assignment in Constructor
Summary
The GivingThanks constructor incorrectly assigns msg.sender as the registry address instead of using the provided _registry parameter.
Vulnerability Details
In GivingThanks.sol, the constructor is improperly initializing the registry address:
The issue is that the constructor is setting msg.sender as a CharityRegistry contract instead of using the intended _registry parameter. This means the contract will try to interact with the deployer's address as if it were a CharityRegistry contract.
Impact
On deployment, the contract will be permanently linked to an incorrect registry address, in this case, the deployer's address, instead of the intended charity registry contract. Any calls to verify charities or process donations will fail as the deployer's address cannot respond to the required registry function calls. This makes the contract unusable from the moment of deployment unless the registry is updated through a separate transaction.
Tools Used
Manual Review
Remix IDE
Recommendations
Correct the constructor to use the provided registry parameter and add proper validation:
Lead Judging Commences
finding-bad-registry-set-at-construction
Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.