First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Access Control in `setPassword` function

zuhaibmohd

Summary

The PasswordStore contract has a critical vulnerability related to missing access control. The contract does not properly verify that only the owner can set the password. This lack of access control allows any user to set a new password, compromising the security of the contract.

Vulnerability Details

The setPassword function lacks an access control mechanism to verify whether the caller is the owner. As a result, any address can set a new password, regardless of ownership. Additionally, any user can easily overwrite a previously set password via backrunning.

Proof of Concept

Place the test case in the PasswordStoreTest.

function test_non_owner_can_set_password() public {
vm.prank(owner);
string memory expectedPassword = "ILoveCodeHawks";
passwordStore.setPassword(expectedPassword);
vm.prank(address(0xC0d3F4c3));
string memory newPassword = "IHackedCodeHawks";
passwordStore.setPassword(newPassword);
vm.prank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, newPassword);
}

Impact

The missing access control in the setPassword function unauthorized password changes.

Tools Used

Foundry

Recommendations

Use an access control modifier, such as onlyOwner, to ensure that only the owner of the contract can set the password.

function setPassword(string memory newPassword) external onlyOwner {
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.