Not Owner user can able to update/set the Password in setPassword() in PasswordStore.sol contract
Summary
in PasswordStore.sol contract users who aren't Owner of the Contract can also be able to update/set Password using the setPassword() in the contract.
Vulnerability Details
-
in PasswordStore.sol contract users who aren't Owner of the Contract can also be able to update/set Password using the setPassword() in the contract.
-
By 1) , if Owner try to get the Password via getPassword(), He will get the password that was updated the user who lastly updated the Password by setPassword().
-
in setPassword() There is no check and revert the transaction!
Impact
if the contract is consumed by any Dapp, the user(not Owner) who updated the password can be able to access the assets and do actions as same as the Owner of the contract can able to do.
Tools Used
I've used Hardhat to test the Contract
Recommendations
in getPassword(),if the msg.sender is not the Owner, we check and revert the function call with Custom Error PasswordStore__NotOwner. The same thing need to be followed in setPassword() in contract
How found the issue
in my Hardhat test script for this Contract , I've written 4 test cases. I found this via my third test case ("3. Should not set a password by an other than Owner") ,which was failed. remaining three were got succeed.
The Script that I written has provided in the above Relevant GitHub Links section.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.