Unauthorized access
Summary
The primary objective of this contract is to restrict access to the setPassword function to only the admin. However, there is currently no mechanism in place to identify the caller of this function.
Vulnerability Details
The contract lacks any access control mechanism, allowing anyone to access and set the password. There is no check or require statement to verify the caller's identity when calling the setPassword function.
Impact
The absence of access control measures in the contract results in a critical vulnerability. Any user, not just the admin, can set the password, which undermines the intended security of the contract.
Tools Used
The identified vulnerability was detected through manual inspection.
Recommendations
To address this vulnerability, it is essential to implement access control mechanisms. One common approach is to utilize a require statement for the setPassword function to verify the caller's identity. Access should be restricted to the admin or authorized parties only, ensuring the contract functions as intended.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.