Incorrect Verification Check in `isVerified`
Summary
The isVerified modifier in CharityRegistry returns true if the charity is registered, instead of verifying whether it is verified.
Vulnerability Details
In the CharityRegistry contract, the isVerified function currently returns the registeredCharities mapping status, which checks if a charity is registered but not necessarily verified. As a result, any registered charity could bypass the verification requirement, allowing unverified charities to appear as valid in other contract functions, such as donation processing.
Impact
This vulnerability could enable unverified charities to receive funds and participate as if they were verified. This defeats the purpose of verification, which is intended to ensure only vetted charities can receive donations, thus compromising the platform's integrity and trustworthiness.
Tools Used
Manual Code Review
Recommendations
Modify the isVerified modifer to check the verifiedCharities instead of registeredCharities.
Lead Judging Commences
finding-isVerified-return-registered-charities
Likelyhood: High, the function returns registered charities instead of verified ones. Impact: High, Any charities can be registered by anyone and will be declared as verified by this function bypassing verification.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.