Submission Details
Severity:
anyone can restore the password.
Summary
any one can call the function setPassword and store another password diffrent from the stored one by the owner.
Vulnerability Details
it's pretty clear no need for details
Impact
if the owner is dump enough to not remember at least part of his password.he can use the new password for something serious then he get hacked by the bad actor who changed this password.
the owner will lose his stored address.
Tools Used
manual review
Recommendations
check that the caller to this function is the actual owner.
function setPassword(string memory newPassword) external {
>> if (msg.sender != owner ) return ;
s_password = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
ElHaj
about 2 years ago
inallhonesty
about 2 years ago
ElHaj
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.