First Flight #1: PasswordStore

Summary

Access Control issues are common in all programs, not just smart contracts. One usually accesses a contract's functionality through its public or external functions.

Access controls define the restrictions around privileges and roles of users in an application.

Vulnerability Details

The consequences of neglecting access control can be disastrous. Without proper checks, unauthorized users can gain unrestricted access to sensitive functionalities, such as minting or burning tokens, altering critical contract parameters, or even transferring ownership. This unrestricted access can lead to unauthorized creation or destruction of tokens, theft of user funds, or manipulation of contract behavior.

Missed Modifier Validations — It is important to have access control validations on critical functions

The setPassword() function is used to set a new password, but the problem is this function lacked any access control. The visibility modifier was set to external allowing anyone to set a new password.

https://github.com/Cyfrin/2023-10-PasswordStore/blob/main/src/PasswordStore.sol?plain=1#L26

Impact

Proper access control ensures that only authorized entities can execute sensitive operations or modify critical data. However, when access control mechanisms are improperly implemented or omitted entirely, vulnerabilities emerge.

The visibility modifier was set to external allowing anyone to set a new password.

Tools Used

Manual code review

Recommendations

Implementing proper access control mechanisms involves using modifiers, conditionals, or external role-based contracts to restrict function execution to authorized entities.

To fix this issue, you should use the onlyowner modifier to restrict access to the function so that only the current owner can call it.