First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can set a new password by calling the 'setPassword' function.

bytes1

Summary

Anyone has the ability to call the 'setPassword' function and modify the password stored in the contract.

Vulnerability Details

The 'setPassword' function is used to change the password. In the current implementation of the function, anyone can call it and change the password. Additionally, there is no condition checking to ensure that the function is called by the owner of the contract.

function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

Any user interacting with the contract can call the above function. The user has the capability to pass a parameter to the function, which will then become the new password.

Impact

Anyone can change the password in the contract.

Tools Used

Recommendations

function setPassword(string memory newPassword) external {
require(msg.sender==owner,"not owner");
s_password = newPassword;
emit SetNetPassword();
}

If a user calls the function, they must first check if the authorization by comparing the owner's address with the current calling address.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.