First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can reset the password by calling setPassword

happyformerlawyer

Summary

The setPassword function is not restricted to only the owner of the contract. Anyone can call the function and set/overwrite the password.

Vulnerability Details

The notes state that the setPassword function is limited to only the owner, but there is no limitation in this code to require that s_owner be the one calling this function. Anyone could call it.

function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

Impact

If the owner of the contract was relying on this contract to store their password and someone else came along and changed it, their password would be lost.

Tools Used

Manual review
VS Code
Remix

Recommendations

You could add an onlyOwner modifier but since you already have a custom error, we can just add that to the setPassword function instead (see below). Also, I tested it in remix and a modifier v a custom error uses the same amount of gas, apparently.

Modified setPassword function:

function setPassword(string memory newPassword) external {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.