GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

The _registry argument is not utilized in the constructor.

eth0x

Summary

In the constructor, the initialization of the CharityRegistry object is performed using the msg.sender address instead of the _registry argument.

Vulnerability Details

For initialization of the CharityRegistry is using msg.senderaddress insted of _registrywhich is argument for this constructor.

constructor(address _registry) ERC721("DonationReceipt", "DRC") {
registry = CharityRegistry(msg.sender);
owner = msg.sender;
tokenCounter = 0;
}

Impact

If the wrong address for the CharityRegistry is set during initialization, it disrupts the protocol. Consequently, the donate function will fail to execute. This is due to the check registry.isVerified(charity), which ensures that the charity is verified. If this verification fails because the CharityRegistry address is incorrect, the donate function cannot proceed.

Tools Used

manual review

Recommendations

Please utilize the _registry argument instead of msg.sender.

constructor(address _registry) ERC721("DonationReceipt", "DRC") {
require(_registry != address(0), "Invalid registry address");
registry = CharityRegistry(_registry);
owner = msg.sender;
tokenCounter = 0;
}
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-bad-registry-set-at-construction

Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.