GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of onlyOwner modifier for the function updateRegistry

eth0x

Summary

The updateRegistry function allows to change the address of the CharityRegistry.

Vulnerability Details

In the updateRegistry function, there is no validation of the owner’s address, which allows anyone to change the registry smart contract address.

Impact

Allowing donations to unverified charities can indeed compromise the entire protocol, leading to potential misuse and fraud.

Tools Used

manual review

Recommendations

The onlyOwner modifier ensures that only the contract owner can update the registry, adding an extra layer of security.

address public owner;
CharityRegistry public registry;
modifier onlyOwner() {
require(msg.sender == owner, "Not authorized");
_;
}
constructor(address _registry) {
owner = msg.sender;
registry = CharityRegistry(_registry);
}
// @audit add onlyOwner modifier and address(0) check
function updateRegistry(address _registry) public onlyOwner {
require(_registry != address(0), "Invalid address");
registry = CharityRegistry(_registry);
}
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-change-registry

Likelyhood: High, anyone can change it at anytime Impact: High, can bypass the verification process

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.