GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-2] Lack of Access Control on `GivingThanks::updateRegistry`, anyone can update the registry.

affanimran1303

Description:

The GivingThanks::updateRegistry allows anyone to update the registry address without any restriction.

Impact:

Malicious actors can change the registry to an untrusted contract, allowing unverified charities to receive donations and exposing users to fraudulent activity.

Proof Of Code:

Since the GivingThanks::updateRegistryhas no access control, anyone could potentially modify the registry. This test ensures only the contract owner can update the registry.

function test_UpdateRegistryAccessControl()public{
GivingThanks givingThanks = new GivingThanks(address(this));
address newRegistry=address(new CharityRegistry());
vm.startPrank(address(1));
vm.expectRevert("Ownable:caller is not the owner");
givingThanks.updateRegistry(newRegistry);
vm.stopPrank();
}

By running this test function it shows that it will not revert which is expected, showing that anyone can update the registry by calling GivingThanks::updateRegistry function making it vulnerable.

Tools Used:

Foundry

Recommended Mitigation:

Restrict GivingThanks::updateRegistry to only the contract owner by making it onlyOwner using OpenZeppelin’s Ownable modifier.

function updateRegistry(address _registry) public onlyOwner {
registry = CharityRegistry(_registry);
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.