Submission Details
Severity:
Single password system capability
Summary
The system has the capability to retain only a single password at any given time. Whenever a new password is stored, it effectively erases the previous password without any prior notification to the user. This process creates the risk that the user might inadvertently replace the old password and lose access to it.
Vulnerability Details
PasswordStore.sol:
string private s_password; //line 14
Impact
function test_can_set_password_only_one_password() public {
vm.startPrank(owner);
string memory setFirstPassword = "FirstPassword";
passwordStore.setPassword(setFirstPassword);
string memory actualPassword = passwordStore.getPassword();
console.log("Actual password: ", actualPassword);
string memory setSecondPassword = "SecondPassword";
passwordStore.setPassword(setSecondPassword);
actualPassword = passwordStore.getPassword();
console.log("Second password: ", actualPassword);
//The firstPassword is lost
assertNotEq(actualPassword, "FirstPassword");
assertEq(actualPassword, "SecondPassword");
}
Tools Used
Manual review.
Recommendations
Consider enhancing the system by implementing the capability for multiple password storage.
Updates
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.