GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect Use of Constructor Parameters

m3dython

Root Cause and Impact

  • Root Cause: The GivingThanks contract's constructor ignores the _registry parameter and incorrectly sets the registry to CharityRegistry(msg.sender).

  • Impact: The contract may interact with an unintended or incorrect registry, leading to failed function calls or unexpected behavior.

Vulnerability Details

  • Constructor Code:

    constructor(address _registry) ERC721("DonationReceipt", "DRC") {
    // Incorrect assignment
    registry = CharityRegistry(msg.sender);
    owner = msg.sender;
    tokenCounter = 0;
    }

    • Issue: Ignores _registry parameter.

    • Consequence: The registry points to the deployer's address, not the intended CharityRegistry contract.

Recommendations

  • Correct the Constructor Implementation:

    constructor(address _registry) ERC721("DonationReceipt", "DRC") {
    registry = CharityRegistry(_registry);
    owner = msg.sender;
    tokenCounter = 0;
    }

  • Validate Constructor Parameters:

    • Ensure _registry is a valid address.

    • Optionally, add a require statement:

      require(_registry != address(0), "Registry address cannot be zero");
Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-bad-registry-set-at-construction

Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.