First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can set the password and not only the owner

numbernine

Summary

Anyone can set the user password to any arbitrary value. This would allow an attacker to change the password and access any system that this contract safeguards.

Vulnerability Details

The comments in the setPassword function (line 26) indicates that only the owner s_owner would be able to call this function. However, the function is missing any check that ensures that this is true.

Impact

This completeley breaks the protocol. Allowing anyone to change the password renders the getPassword function useless, given that any attacker may know the password that they might be setting for themselves.

Tools Used

Solidity testing. See POC

function test_non_owner_setting_password_doesnt_revert() public {
vm.startPrank(address(1)); //Attacker address
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
vm.stopPrank();
vm.prank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
}

Recommendations

Add this check at the top of the function.

if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.