GivingThanks

Summary

The isVerified function in the CharityRegistry contract mistakenly checks the registeredCharities mapping instead of verifiedCharities. This could allow donations to unverified charities if the function is used to confirm a charity’s eligibility for donations.
Impact: Users may donate Ether to unverified charities, defeating the purpose of a verification system and potentially leading to funds being directed to unauthorized entities.

Vulnerability Details

The isVerified function currently checks the registeredCharities mapping instead of the verifiedCharities mapping. This results in the function returning true for any charity that has registered but not necessarily verified. This bug allows unverified charities to appear as verified to the GivingThanks contract, potentially leading to unauthorized Ether donations to charities that haven’t undergone the required verification process by the admin. This breaks the intended access control for donation eligibility and could expose users’ funds to untrusted entities.

https://github.com/Cyfrin/2024-11-giving-thanks/blob/main/src/CharityRegistry.sol#L23-L25

Impact

This bug undermines the integrity of the platform, as it allows any registered charity, verified or not, to be perceived as eligible for donations. This can lead to:

• Unauthorized entities receiving donations without passing the verification process.

• Loss of trust among donors, who may inadvertently donate to unverified charities.

• Potential legal or compliance issues for the platform if funds are sent to unverified entities.

Tools Used

Manual Review

Recommendations

To fix this issue, update the isVerified function to return the status from the verifiedCharities mapping instead of registeredCharities. Here’s the corrected function: