Submission Details
Severity:
Anyone can call set new password
Summary
Anyone can call PasswordStore.setPassword() method to set new password
Vulnerability Details
The setPassword() method has external visibility and no restriction to validate the caller is the owner of the contract or not.
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
Impact
Anyone can can set new password for this contract means that if external contract logic utilizing the password might fail.
Here is my PoC code using Foundry unit test
function test_anyone_can_set_password() public {
vm.startPrank(address(1));
string memory expectedPassword = "newPassword";
passwordStore.setPassword(expectedPassword);
vm.stopPrank();
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
}
Tools Used
Manual review
Recommendations
Adding caller restriction for setPassword() method
Here is my implementation:
function setPassword(string memory newPassword) external {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_password = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.