GivingThanks

Summary

In the GivingThanks contract, the constructor initializes the registry variable using msg.sender, instead of using the _registry address passed as a parameter. This means that the contract mistakenly sets itself as the registry rather than assigning the intended CharityRegistry contract as the trusted source for verification. As a result, this misconfiguration makes it impossible to properly verify charities using the designated CharityRegistry, impacting the contract's core functionality.

Vulnerability Details

The constructor in GivingThanks is written as follows:

The line registry = CharityRegistry(msg.sender); mistakenly assigns msg.sender (the deploying address) as the registry, instead of using the _registry parameter. This results in failed attempts to call isVerified and other verification methods on registry, as msg.sender does not possess these functions.

Impact

This initialization error critically undermines the GivingThanks contract’s functionality. Any calls to registry.isVerified(charity) or similar methods will revert unexpectedly because msg.sender lacks the CharityRegistry contract's required functions. This issue effectively prevents the GivingThanks contract from verifying charities, blocking the donation process and making the contract unusable for its core purpose.
This flaw

Tools Used

Manual code review: Identified the misuse of msg.sender instead of _registry in the constructor.
Foundry testing: Tests confirmed unexpected reverts when attempting to verify charities due to the incorrect registry assignment.

Recommendations

1 - Correct the constructor’s registry assignment: Update the constructor to correctly use the _registry parameter:

2 - Add deployment tests: Include a test to verify the correct initialization of registry and ensure that it points to a valid CharityRegistry instance. This will help prevent similar issues in future deployments.