Any user can modify / set a new password
In the PasswordStore.sol contract, specifically in the setPassword function, there are no checks to verify that only the owner can change the password. This allows any user to change the password, regardless of whether they are the owner or not.
Here is a simple POC in foundry to verify that any user can change the password:
function test_random_user_can_set_password() public {
vm.startPrank(address(1));
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
vm.stopPrank();
vm.prank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
}
I recommend adding an ownership check on top of the function call to only allow the owner to make changes.
function setPassword(string memory newPassword) external {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_password = newPassword;
emit SetNetPassword();
}
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.