First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

No access control in terms of function `setPassword` can be very risky

0x0115

Summary

No access control in terms of function setPassword can be very risky

Vulnerability Details

No access control in terms of function setPassword. This can be very risky because the design of the contract is supposed to store the owner's password.

If there is no such access control, anyone can overwrite the password and since then the password will be a different value.

And at the same time, if the incentive is enough then anyone can front-run the owner's calling the function to change the password value. Then when the owner calls the function it will return a surprising value instead.

Impact

No access control means this contract is not supposed to work as supposed.

Tools Used

Manual review

Recommendations

set the function's access control as onlyOwner.

+ import {Ownable} from "openzeppelin-contracts/contracts/access/Ownable.sol";
- contract PasswordStore {
+ contract PasswordStore is Ownable {
...
- constructor() {
+ constructor() Ownable(msg.sender) {
- // s_owner = msg.sender;
}
...
- function setPassword(string memory newPassword) external
+ function setPassword(string memory newPassword) external onlyOwner {
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.