First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Insecure Password Control in `PasswordStore`

PTolev

Summary

The vulnerability stems from the absence of access control in the setPassword function, allowing anyone to set a new password.

Vulnerability Details

The vulnerability resides in the setPassword function of the PasswordStore smart contract. Currently, there is no access control mechanism in place, which means that anyone, regardless of their permissions or identity, can set a new password for the contract.

Impact

The potential consequences of this vulnerability are significant. Given that everyone, including malicious actors, can freely set a new password, it introduces a substantial security risk. This unauthorized access can lead to unauthorized control and manipulation of the contract, compromising both the protocol's integrity and the security of the user.

Tool used

Manual Review

Recommended Mitigation

To address this vulnerability, it is crucial to implement proper access control within the setPassword function. Access should be restricted to authorized users or the contract owner. A possible solution is to add an access control statement, as shown below:

function setPassword(string memory newPassword) external {
require(msg.sender == s_owner, "Only the contract owner can set the password");
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.