Submission Details
Severity:
Non-owner can update the password
[H-01] Non-owner can update the password
Description
The setPassword function, doesnt check who is the msg.sender. This way user who is different from the owner can update the password.
Proof of Concept
The following forge test can be seen to demonstrate these findings:
function test_non_owner_set_password() public {
// get password via owner account
vm.startPrank(owner);
string memory ownerPassword = passwordStore.getPassword();
vm.stopPrank();
// impersonate as other account and set new password, which wont fail, but should
vm.startPrank(address(1));
passwordStore.setPassword("fromOtherAccount");
vm.stopPrank();
// impersonate as owner again and check that password has changed, which should not be the case
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword();
assertNotEq(ownerPassword, actualPassword);
}
Impact
Given the vulnerability described has a high likelihood and high impact, we evaluate the severity to HIGH.
Recommended Mitigation
A function modifier onlyOwner can be used, to validate the msg.sender in both methods: setPassword and getPassword.
Example:
modifier onlyOwner {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
_;
}
function getPassword() external view onlyOwner returns (string memory);
function setPassword(string memory newPassword) external onlyOwner;
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.