Anyone can set a new password due to lack of access control
Summary
The setPassword function in the PasswordStore contract is intended for the owner's exclusive use. However, it lacks the necessary restrictions, allowing any user to change the password.
Vulnerability Details
The contract does not enforce owner-only access to the setPassword function. As a result, any Ethereum address can call this function and change the stored password. This oversight leads to a significant security risk of unauthorized password modification.
Impact
The whole logic of the contract is at risk, as the stored data is unreliable: it will return whatever last password that was set, regardless of whether it was done by the owner or not.
Tools Used
Manual analysis.
Recommendations
Add a modifier or a require statement to the setPassword function to check if the caller's address matches the owner's address, ensuring that only the owner can change the password.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.