Submission Details
Severity:
Access Control - non-owner can set a new password
Summary
in PasswordStore.sol the function setPassword() does not check that msg.sender == owner allowing anyone to be able to set a new password.
Vulnerability Details
Running the test shown below in PasswordStore.t.sol will illustrate that a non-owner can set whatever new password they wish.
// @audit test
function test_non_owner_can_set_password() public {
vm.startPrank(address(29));
string memory expectedPassword = "I_Love_CodeHawks";
passwordStore.setPassword(expectedPassword);
vm.stopPrank();
// Using the owner account to see the password
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(expectedPassword, actualPassword);
}
Impact
This has been classified as a high issue, as anyone can set a new password.
Tools Used
Foundry & Manual Review
Recommendations
Add a check in setPassword() to ensure msg.sender == owner, such as the one shown below.
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.