GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unauthorized NFT Minting via Registry Manipulation

elminnyc

Summary

The GivingThanks smart contract allows anyone to change the registry address, which can let attackers bypass verification and mint NFTs for free.

Vulnerability Details

If an attacker can change the registry address to point to a contract they control, they can bypass the verification process and mint NFTs for free. This issue arises from the previously identified vulnerability in the updateRegistry function, allowing unauthorized users to manipulate the registry.

Impact

  • Attackers can mint unlimited NFTs without making actual donations.

  • This undermines the trust and integrity of the platform.

Tools Used

Manual Review

Recommendations

  1. Restrict access to the updateRegistry function to only the contract owner.

  2. Enhance the donate function to ensure that only verified charities receive donations and mint NFTs.

function updateRegistry(address _registry) public onlyOwner {
registry = CharityRegistry(_registry);
}
modifier onlyVerified(address charity) {
require(registry.isVerified(charity), "Charity not verified");
}
function donate(address charity) public payable onlyVerified(charity) {
(bool sent,) = charity.call{value: msg.value}("");
require(sent, "Failed to send Ether");
_mint(msg.sender, tokenCounter); // Create metadata for the tokenURI
string memory uri = _createTokenURI(msg.sender, block.timestamp, msg.value);
_setTokenURI(tokenCounter, uri);
tokenCounter += 1;
}
Updates

Lead Judging Commences

n0kto Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.