GivingThanks

First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

No Access Control in GivingThanks::updateRegistry allowing any user to update the registry

Summary

Any user can update the the CharityRegistry associated with the GivingThanks contract.

Impact

The registry can be changed to a different contract containing a different list of registered and verified charities without the knowledge of donors.
Donors may be prevented from donating to a legitimate charity or be allowed to donate to a non-legitimate charity.

##Proof of Code

The following test passes:

function testAnyoneCanUpdateRegistry() public {
vm.prank(charity);
address registryAddress = address(charityContract.registry());
assertEq(registryAddress, admin);
charityContract.updateRegistry(address(donor));
registryAddress = address(charityContract.registry());
assertEq(registryAddress, donor);
}

Tools Used

Manual review, Foundry

Recommendations

Add the following line to the function:

function updateRegistry(address _registry) public {
+ require(msg.sender == owner, "Only owner can update registry");
registry = CharityRegistry(_registry);
}
Updates

Lead Judging Commences

n0kto Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.