First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Access Control on setPassword

equious

Summary

There's no limit to whom can call the setPassword function. Anyone can change the owner's saved password, losing the record of the original password, rendering the protocol functionally useless.

Vulnerability Details

NatSpec indicates the intention that only the owner can call this function, but there's no check or require on msg.sender.

* @notice This function allows only the owner to set a new password.

* @param newPassword The new password to set.

function setPassword(string memory newPassword) external {

s_password = newPassword;

emit SetNetPassword();

}

Impact

The protocol can't be trusted to provide the desired password, anyone can change it at any time rendering the protocol and unfit solution for storing and retrieving anything securely. Ease of exploit also leads me to assume a likelihood of High, resulting in a High Severity.

POC

function test_non_owner_setting_password_reverts() public {

vm.startPrank(address(1));

vm.expectRevert(PasswordStore.PasswordStore__NotOwner.selector);

passwordStore.setPassword("myNewPassword");

}

Running 1 test for test/PasswordStore.t.sol:PasswordStoreTest

[FAIL. Reason: Call did not revert as expected] test_non_owner_setting_password_reverts() (gas: 15114)

Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 1.55ms

Ran 1 test suites: 0 tests passed, 1 failed, 0 skipped (1 total tests)

Failing tests:

Encountered 1 failing test in test/PasswordStore.t.sol:PasswordStoreTest

[FAIL. Reason: Call did not revert as expected] test_non_owner_setting_password_reverts() (gas: 15114)

Encountered a total of 1 failing tests, 0 tests succeeded

Tools Used

Manual Review
Foundry

Recommendations

Implement a check on msg.sender to assure it equals the owner:

if (msg.sender != s_owner) {

revert PasswordStore__NotOwner();

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

equious Submitter

almost 2 years ago

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.