Submission Details
Severity:
s_password should be a mapping - doesn't allow users to have their password be stored separately
Summary
The docs says that a user should be able to store a password, so we need a PRIVATE ( for it not to be accessible publicly ) mapping for that, not a single string variable. Also we need to change both functions to work with the mapping.
Vulnerability Details
We cannot use a single string to store a password for muplitple accounts.
Impact
The contract won't work as intended by the developers.
Tools Used
hardhat
Recommendations
I'll paste the whole new contract so it will be clearer
// SPDX-License-Identifier: MIT
/*
* @author not-so-secure-dev
* @title PasswordStore
* @notice This contract allows you to store a private password that others won't be able to see.
* You can update your password at any time.
*/
contract PasswordStore {
error PasswordStore__NotOwner();
address private immutable s_owner;
@> mapping(address => string) private s_passwords; // a mapping instead of a string
event SetNetPassword();
constructor() {
s_owner = msg.sender;
}
/**
* @notice This function allows a user to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
@> s_passwords[msg.sender] = newPassword;
emit SetNetPassword();
}
/**
* @notice This allows only the user to retrieve his password.
*/
function getPassword() external view returns (string memory) {
@> require(bytes(s_passwords[msg.sender]).length > 0, "You haven't stored a password"); // check if the user has stored a password
@> return s_passwords[msg.sender];
}
}
Updates
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.