Lack of onlyOwner access control for the setPassword function creates a potential security risk
Summary
The setPassword function in the PasswordStore contract lacks an onlyOwner access control mechanism. This absence means any address can call this function and change the password, posing a security risk.
Vulnerability Details
In the current implementation of the setPassword function, there is no check to ensure that the caller is the owner (stored in the s_owner variable) of the contract. Without this check, any user can call this function and potentially alter the state of a critical variable in the contract, which is the s_password.
Impact
If malicious actors identify this vulnerability, they could continuously change the password, making the original intent of the contract (a secure place for the owner's password) useless and potentially disrupting the contract's normal operation.
An unauthorized address could interact with the contract as follows:
Tools Used
・foundry
Recommendations
Implement an onlyOwner access control check in the setPassword function. This check ensures that only the owner can update the password stored in the contract.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.