Submission Details
Severity:
setPassword can be called by anyone
Summary
function setPassword(string memory newPassword) external is callable by anyone.
Vulnerability Details
The function is callable by anyone so at any point, the password can be changed. If this password is then read by the user without knowing it was changed, it could lead to catastrophic consequences.
Impact
High, with high likelihood.
Tools Used
Foundry.
Recommendations
Extend OpenZepellin's Ownable contract and add the onlyOwner modifier to the function or add following snippet as in getPassword():
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
POC:
function test_anyone_can_set_password() public {
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
vm.prank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
}
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.