First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can change the password

Testerbot

Summary

setPassword() function can be called by any address.

Vulnerability Details

Let's review the code including its comments

/*
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

So supposedly the function should be called by the owner only, but it never performs an ownership check. Anyone can change the password.

Impact

If someone detects this vulnerability they can change the password at any time, making this contract useless.

Tools Used

Manual Review + tests
For the test we should add the following code block in the PasswordStore.t.sol file:

function test_non_owner_can_set_password() public {
vm.startPrank(address(1));
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
}

After running the test it passes, meaning that anyone can change the password.

Recommendations

Modify setPassword() function so that it checks for ownership before changing the password:

function setPassword(string memory newPassword) external {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.