GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Access Control in GivingThanks::updateRegistry

0xalex

Summary

In the GivingThanks contract anybody can update the registry due to the lack of access control.

Vulnerability Details

Missing access control in GivingThanks::updateRegistry: The updateRegistry function lacks proper access control. This allows any attacker to call the function and replace the legitimate CharityRegistry contract address with a malicious one.

Impact

An attacker exploiting this vulnerability could:

  • Redirect donations to a charity controlled by the attacker.

  • Disrupt the intended flow of funds to legitimate charities.

  • Damage the reputation of the GivingThanks platform.

Tools Used

Manual review

Recommendations

Implement an onlyOwner modifier in the updateRegistry function. This ensures that only the contract owner can update the CharityRegistry address.

Diff:

Incorrect code:
- contract GivingThanks is ERC721URIStorage {
...
- function updateRegistry(address _registry) public {
// /\ @audit-issue anybody can update registry, misses access control check
registry = CharityRegistry(_registry);
}
}
Fixed code:
+ contract GivingThanks is ERC721URIStorage, Ownable {
...
+ function updateRegistry(address _registry) public onlyOwner {
registry = CharityRegistry(_registry);
}
Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.