First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing owner check in setPassword allows anyone to change the password

robbiesumner

Summary

Passwordstore::setPassword does not implement an owner check, resulting in anyone being able to change the password.

Vulnerability Details

As setPassword immediately sets the new password without doing any checks before, it can be called by anyone. This means the password can be set by anyone calling the contract.

This foundry test fails as the password is set to "notMyPassword" by other:

function test_only_owner_can_set_password() external {
vm.prank(owner);
passwordStore.setPassword("myPassword");
vm.prank(other);
passwordStore.setPassword("notMyPassword");
vm.prank(owner);
assertEq(passwordStore.getPassword(), "myPassword");
}

Impact

Anyone (not only the owner) can set a new password as the function has no access control.

Tools Used

  • foundry

  • manual review

Recommendations

Implement an owner check in Passwordstore::setPassword as already implemented in getPassword.

function setPassword(string memory newPassword) external {
+ if (msg.sender != s_owner) {
+ revert PasswordStore__NotOwner();
+ }
s_password = newPassword;
emit SetNetPassword();
}

Alternatively a modifier could be created and added to both setPassword and getPassword function declarations to modularize the owner check:

modifier onlyOwner() {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
_;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.