First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Owner Password can be changed by anyone

Mj0ln1r

Summary

setFunction() is supposed to call by the owner only but it can be called by anyone.

Vulnerability Details

setFunction() doesn't check the msg.sender. There is no access control to check the caller of the function is s_owner or not.

Impact

This vulnerability leads to change of the s_password of the owner. And the getPassword() is also useless here as there is no need to retrieve the s_password as the attacker himself changed the password. This defeats the sole purpose of the contract.

Tools Used

Manual review

Recommendations

Check that the msg.sender is s_owner or not.

function setPassword(string memory newPassword) external {
if (msg.sender != s_owner){
revert();
}
s_password = newPassword;
emit SetNetPassword();
}

Or else we can use OpenZeppelin Ownable access control functions.

import "@openzeppelin/contracts/ownership/Ownable.sol";
function setPassword(string memory newPassword) onlyOwner external {
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.