Submission Details
Severity:
No Access Control in GivingThanks::updateRegistry allowing any user to update the registry
Summary
Any user can update the the CharityRegistry associated with the GivingThanks contract.
Impact
The registry can be changed to a different contract containing a different list of registered and verified charities without the knowledge of donors.
Donors may be prevented from donating to a legitimate charity or be allowed to donate to a non-legitimate charity.
##Proof of Code
The following test passes:
function testAnyoneCanUpdateRegistry() public {
vm.prank(charity);
address registryAddress = address(charityContract.registry());
assertEq(registryAddress, admin);
charityContract.updateRegistry(address(donor));
registryAddress = address(charityContract.registry());
assertEq(registryAddress, donor);
}
Tools Used
Manual review, Foundry
Recommendations
Add the following line to the function:
function updateRegistry(address _registry) public {
+ require(msg.sender == owner, "Only owner can update registry");
registry = CharityRegistry(_registry);
}
Updates
Lead Judging Commences
n0kto 6 months ago
Submission Judgement Published Assigned finding tags:
finding-anyone-can-change-registry
Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process
Rewards breakdown
nSLOC
67This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.