Missing Zero-Address Check in CharityRegistry::changeAdmin() Function
Summary
The changeAdmin() function in the CharityRegistry contract allows the current admin to change the admin address. However, it lacks a check to ensure that the new admin address is not a zero address (0x000...000), which could lead to the contract becoming effectively non-administered if the admin is changed to the zero address.
Vulnerability Details
The function changeAdmin() enables the current admin to transfer admin privileges to a new address. However, there is no validation to prevent the new admin address from being the zero address, which is an invalid and unsafe address in the Ethereum network.
If the admin address is set to the zero address, the contract would lose the ability to transfer admin rights or perform any admin-controlled actions, effectively locking the contract and leaving it in an unmanageable state. This is a common vulnerability that can occur if there are no checks for the zero address when setting important variables like the admin address.
Impact
Allowing the admin to be set to a zero address can cause:
Loss of Administrative Control: If the admin is set to a zero address, there would be no way to alter or manage the admin role again, as there is no valid address associated with it.
Operational Failure: Any function that relies on the admin address for authorization, such as
verifyCharity()orregisterCharity(), could fail if the admin role is transferred to the zero address.
Tools Used
Manual Code Review
Recommendations
Make sure to implement a check to prevent the new admin address from being set to the zero address, ensuring that administrative control is never lost like this:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.