First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

owenrShip Error, NEVER store private information on a public blockchain

0xabhayy

Summary

  1. There is an ownership error in the setPassword function. Any external user can access this function and change the owner's password.

  2. It is imperative to never store private data on a public blockchain.

Vulnerability Details

  1. Ownership error on line 26 allows any user to call the setPassword function and modify the password.

  2. Storing sensitive information, such as passwords and usernames, on a public blockchain is risky. Lines 13 and 14 reveal the s_owner and s_password to anyone.

Impact

The vulnerability enables unauthorized access to change the password and access the contract's storage variables.

Tools Used

manual review

Recommendations

  1. Implement a modifier for onlyOwner and apply it to both functions. This approach not only secures the system but also optimizes gas usage.

  2. Never underestimate the risk of storing private information on a public blockchain.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.