Access Control Allows Unauthorized Password Changes
Summary
This report highlights a vulnerability in the PasswordStore smart contract. The contract was documented to allow only the owner to set the password. However, there is a flaw that allows any address to change the stored password, contradicting the documented behavior.
Vulnerability Details
The PasswordStore smart contract is designed to store a private password accessible only by its owner. The constructor sets the owner upon deployment, and the setPassword function is intended to allow only the owner to set a new password.
However, there is a vulnerability in the contract as implemented, allowing any Ethereum address to change the stored password. The vulnerability is in the missing access control check in the setPassword function. The setPassword function should check whether the sender is the owner, but this check is missing in the current implementation. As a result, anyone can change the stored password, rendering the documented behavior inconsistent with the actual functionality.
Impact
The impact of this vulnerability is that unauthorized parties can change the stored password. This could lead to confusion and unintended access to the password by parties other than the owner. For example, if Alice stores her password as "ABC" with the understanding that only she can retrieve it, Bob could change it to "XYZ" without authorization, preventing Alice from accessing her previously stored password.
Tools Used
Manual code review.
Recommendations
Modify the setPassword function to include an access control check that ensures only the owner can set a new password.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.