First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Not Owners can set Password

WangSecurity

Summary

everyone can set the password

Vulnerability Details

In PasswordStore.sol dev says (comment on line 23) that setPassword(string memory) (line 26) is only available to owner, when in fact everyone can set it. Here is the test function:

function testNotOwnerCanSetPassword() public {
vm.startPrank(address(69)); //random address
string memory expectedPassword = "LolNo"; // a password we want to set
passwordStore.setPassword(expectedPassword); // address(69) sets password to expectedPassword
vm.stopPrank();
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword(); // we use owner address to get the password, because no one else can
assertEq(expectedPassword, actualPassword); // we compare two passwords (the one we declared above and the current one)
vm.stopPrank();
}

Impact

We cannot store the password in here because everyone would be able to change it, so there is no guarantee that it will save our password. It leads to the protocol being pointless, because the main point is to save the password. But in that instance, we save password today, tomorrow it is replaced by someone else.

Tools Used

PatrickAlphaC Solidity Tutorial

Recommendations

Add if statement at the start of the function to check if the one who calls it is the owner. If not revert PasswordStore__NotOwner()

if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.