First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Owner Spoofing Vulnerability

kevinkkien

Summary

The PasswordStore contract in the current project has a critical security vulnerability related to owner spoofing. A user can potentially compromise the initial owner (the contract creator) using a spoofing technique, particularly through the setPassword() function.

Vulnerability Details

In the setPassword() function, there are no checks to verify whether the caller is the initial owner (the contract creator) or not. This leads to the possibility of a user changing the owner by deploying a new contract and then using the setPassword() function to change the owner to the address of the new contract.

Impact

This vulnerability could result in the loss of the initial owner's sole control. An attacker could gain control or modify data within the contract, depending on their intentions.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, it is essential to add a check to ensure that only the initial owner is allowed to change the password. Specifically, you can use a check within the setPassword() function to compare msg.sender with s_owner before allowing the change to take place.

function setPassword(string memory newPassword) external {
require(msg.sender == s_owner, "Only the owner can set a new password");
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.