Submission Details
Severity:
[H-1] No accessControl in `GivingThanks::updateRegistry`
IMPACT: High
LikeliHood: Medium
Summary
The function updateRegistry updates the address of the targetContract of the registry, but it does not have any access control
Vulnerability Details
found in line 60 in GivingThanks.sol
function updateRegistry(address _registry) public {
registry = CharityRegistry(_registry);
}
Impact
anyone can change the address of the target registry, and thus severely interupting with the protocols functionality
Tools Used
Manual Review
Recommendations
add an extra check to make sure that whoever called this function is the admin.
function updateRegistry(address _registry) public {
+ require(msg.sender == admin, "only admin can update the registry");
registry = CharityRegistry(_registry);
}
}
Updates
Lead Judging Commences
n0kto 7 months ago
Submission Judgement Published Assigned finding tags:
finding-anyone-can-change-registry
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
Rewards breakdown
nSLOC
67This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.