First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

The setPassword Function is lacking access control

atoko

Summary

The setPassword Function is lacking access control

Vulnerability Details

The setPassword function is supposed to be used to set the password of the contract however it lacks an access control protection which means that anyone will be able to set the password of the contract.

Impact

anyone will be able to set the password and access the contract therefore there the contract is compromised

Tools Used

manual analysis

Recommendations

consider adding a modifier for access control so that only the owner of this contract will be able to set the password of this contract as below.

modifier onlyOwner() {
require(msg.sender == s_owner, "Stop you are not the owner");
_;
}

then you can now protect our function from malicious users as below

function setPassword(string memory newPassword) external onlyOwner {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_password = newPassword;
emit SetNetPassword(newPassword);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.