An attacker can change the owners password
Summary
No access control on setPassword function.
Vulnerability Details
setPassword function does not have an access control. Anyone can call this function and change the s_password.
Here is my foundry test that proves this vulnerability:
function test_attacker_can_set_password() public {
// The owner sets his password
vm.startPrank(owner);
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
vm.stopPrank();
// Now attacker sets his own password (he shouldn't be able to)
vm.startPrank(address(1));
string memory attackerPassword = "AttackersNewPassword";
passwordStore.setPassword(attackerPassword);
vm.stopPrank();
//owner gets the password from contract
vm.prank(owner);
string memory finalPassword = passwordStore.getPassword();
// Checks if attackers password is the same with the password owner gets by calling the getPassword
assertEq(finalPassword, attackerPassword);
}
Impact
High
Tools Used
Foundry Test
Recommendations
As I said before, this contract has a fundamental issue and you should not put your password onchain. However, if you still want to deploy this contract and don't want anyone to change the "password" there is a fix.
Adding a simple access control on the setPassword function could resolve this issue. You can add the same access control from the getPassword function. Here is an example setPassword function that only the owner call:
function setPassword(string memory newPassword) external {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_password = newPassword;
emit SetNetPassword();
}
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.