Submission Details
Severity:
Not having any access control on `setPassword` function allows anyone to set the password
Summary
Access control is needed in the setPassword function. Otherwise, anyone can change the password.
Vulnerability Details
If there is no access control in the setPassword function anyone can set the password to anything they want and then use the password to access protected data or access parts of the code where the password is required.
A check should be added so that only owner can update the password, just like how it is done in getPassword function.
Impact
Anyone can set the password.
function test_non_owner_can_set_password() public {
//non-owner successfully calls setPassword function
vm.prank(address(1));
string memory newPwd = "Mynewpassword123";
passwordStore.setPassword(newPwd);
//retrieve password with owner address to verify
//that it in fact changed to what the non-owner set
vm.prank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, newPwd);
}
Tools Used
Foundry
Manual audit
Recommendations
- function setPassword(string memory newPassword) external {
+ function setPassword(string memory newPassword) external {
+ if (msg.sender != s_owner) {
+ revert PasswordStore__NotOwner();
+ }
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.