OTHER USERS WONT BE ABLE TO RETRIEVE PASSWORD
Summary
the contract can allow another person to save another password and overwrite the owner's password.
Vulnerability Details
the setPassword() function is loose and not restricted to the owner.
POC
'''solidity
contract interactWithPaassStore{
PasswordStore public passwordstore;
string public password;
constructor(address victimAddress) {
passwordstore = PasswordStore(victimAddress);
}
function store(string memory _newpass) external {
password = _newpass;
passwordstore.setPassword(password);
}
'''
with this code, the setPassword() function gets updated without the owner's knowledge. when the owner calls getPassword() function, it returns the updated password, not the owner's password.
Impact
password variable can be updated by anyone
Tools Used
remixIde
Recommendations
add this revert checks to setPassword()
'''solidity
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
'''
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.