First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

function setPassword() can be changed by non owner

echospr

Summary

In PasswordStore::setPassword() function can be set or changed by a non owner, the protocol states that only the owner is suppose to be able to set a new password.

Vulnerability Details

If anyone can change the password then the owner does not fully have control over their password management system. If the owner sets the password one day a hacker can come in right behind the owner and change it instantly.

Impact

Here you can see in this test how an attacker can attack this password system.

function test_non_owner_setting_new_password() public {
vm.startPrank(owner);
string memory expectedPassword = "NewPassWord";
passwordStore.setPassword(expectedPassword);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
vm.startPrank(alice);
string memory sneakPassword = "sneaky";
passwordStore.setPassword(sneakPassword);
vm.startPrank(owner);
string memory sneak = passwordStore.getPassword();
assertEq(sneak, sneakPassword);
}

Tools Used

Foundry

Recommendations

Use an onlyOwner modifier, Just like what is being used in the getPassword() function.

if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.