GivingThanks

First Flight #28

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect setting of the CharityRegistry contract address in the contract constructor GivingThanks.sol

architect

Summary

The vulnerability in the `GivingThanks` contract's constructor arises because it initializes the `registry` variable with `CharityRegistry(msg.sender)` instead of using the `_registry` parameter passed to the constructor. This mistake sets the `registry` to the address of the contract deployer (`msg.sender`) rather than the actual `CharityRegistry` contract. As a result, any subsequent calls to `registry.isVerified` fail, since the `isVerified` function will attempt to access mappings on an invalid address

Vulnerability Details

In the GivingThanks contract constructor, the registry variable is incorrectly initialized with:

registry = CharityRegistry(msg.sender);

This line should instead be:

registry = CharityRegistry(_registry);

By assigning `registry` to `msg.sender`, the contract treats the deployer's address as the `CharityRegistry` contract, which is incorrect. Any calls to `registry` will now reference the deployer's address instead of the intended `CharityRegistry` contract.

Specifically, the line:

require(registry.isVerified(charity), "Charity not verified");

Will always fail because `registry.isVerified` is referencing the `isVerified` function on an address that is not the `CharityRegistry` contract. This causes the donation function to revert, making it impossible to donate to any charity, even if it has been properly registered and verified.

Impact

This vulnerability results in the following:

Inability to donate: Since registry.isVerified(charity) will always fail, the donate function will revert for any charity. As a result, users will be unable to donate using this contract.
Recommendation

Recommendations

Correct the constructor: Update the constructor to use `_registry` instead of `msg.sender` to initialize the `registry` variable.

Also this vulnerability I think should be in Low, because the `registry` address can be changed with the `updateRegistry(address _registry)` function in the `GivingThanks.sol` contract.

constructor(address _registry) ERC721("DonationReceipt", "DRC") {

registry = CharityRegistry(_registry); // Correct initialization

owner = msg.sender;

tokenCounter = 0;

}

Updates

Lead Judging Commences

n0kto Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-bad-registry-set-at-construction

Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.