The GivingThanks
smart contract allows anyone to change the registry address, which can let attackers bypass verification and mint NFTs for free.
If an attacker can change the registry
address to point to a contract they control, they can bypass the verification process and mint NFTs for free. This issue arises from the previously identified vulnerability in the updateRegistry
function, allowing unauthorized users to manipulate the registry.
Attackers can mint unlimited NFTs without making actual donations.
This undermines the trust and integrity of the platform.
Manual Review
Restrict access to the updateRegistry
function to only the contract owner.
Enhance the donate
function to ensure that only verified charities receive donations and mint NFTs.
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.