Submission Details
Severity:
Non-Owner Accounts Can Change the Password
Summary
According to the NatSpec of the function PasswordStore::setPassword:
This function allows only the owner to set a new password.
But it's not enforced in any way.
Impact
The function is accessible by anyone due to the external visibility specifier and doesn't implement any form of access control check to validate only the owner is allowed to set a new password.
Tools Used
Foundry and VS Studio Code.
Recommendations
Implement an access control check to validate only the owner can access the function.
diff --git a/src/PasswordStore.sol.orig b/src/PasswordStore.sol
index a2b5fd0..a8ae8d8 100644
--- a/src/PasswordStore.sol.orig
+++ b/src/PasswordStore.sol
contract PasswordStore {
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
+ if (msg.sender != s_owner) {
+ revert PasswordStore__NotOwner();
+ }
s_password = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.