First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

setPassword() lacks access control, therefore allowing anyone to call it

blocktivist

Summary

The setPassword() function lacks access control, which results in anyone being able to call this function and set a new password.

Vulnerability Details

The protocol's goal is to allow only s_owner to call setPassword() and set a new password. However, the setPassword() function lacks access control therefore allowing anyone to call it.

@> function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

Impact

Anyone can call setPassword() and set a new password, which leads the password previously set by s_owner not being stored in s_password anymore.

The following test fails as is and passes when the vm.expectRevert(); line is uncommented, proving that address(1) can set a new password:

function test_only_owner_can_set_password() public {
vm.startPrank(address(1));
string memory expectedPassword = "myNewPassword";
vm.expectRevert();
passwordStore.setPassword(expectedPassword);
}

Tools Used

  • Foundry

Recommendations

Add access control to the setPassword() function:

function setPassword(string memory newPassword) external {
+ if (msg.sender != s_owner) {
+ revert PasswordStore__NotOwner();
+ }
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.