Malicious password change
Summary
malicious password change
Vulnerability Details
Any user can change the owner's password during contract execution.
Impact
with the password change being carried out by any other user who can interact with the contract, it violates the principle of password security and what the contract proposes to accomplish, which would be that only the owner can set and redeem the password.
Tools Used
Manual audit and VScode
Test
following executed test:
function test_Other_User_change_Password() public {
vm.startPrank(owner);
string memory expectedPassword = "teste";
passwordStore.setPassword(expectedPassword);
vm.stopPrank();
vm.startPrank(address(0));
string memory expectedPasswordSecond = "Joao";
passwordStore.setPassword(expectedPasswordSecond);
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword();
assertNotEq(actualPassword, expectedPassword);
}
Recommendations
Validate the sending user and the owner every time the setPassword function is called, as done in getPassword
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.