the setPassword function does not have any access control checks
Summary
Lacks proper access control mechanisms, allowing unauthorized users to call the setPassword function. Currently, the only access control measure is in the getPassword function, which checks if the caller is the owner. However, the critical setPassword function does not have any access control checks, making it vulnerable to unauthorized updates.
Vulnerability Details
There is no modifier or condition to restrict access to the setPassword function. As a result, anyone on the Ethereum network can change the password stored in the contract, which is a security concern.
Impact
The lack of access control on the setPassword function can have the following impacts:
Unauthorized users can change the password stored in the contract, compromising the security of the password.
Malicious actors can disrupt the intended functionality of the contract or deface it by changing the password.
Tools Used
No specific tools are used for this analysis. It's a manual code review based on the provided code.
Recommendations
To mitigate the "Lack of Access Control" vulnerability, consider implementing proper access control for the setPassword function. Here's an example of how you can achieve this:
With this, only the contract owner (the address that deployed the contract) will be able to change the password. This provides a basic access control mechanism to prevent unauthorized updates.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.