First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

The deployment script sets a default password

kiteweb3

Summary

The deployment script initializes the system with an initial password, specifically "myPassword." In case a user invokes the getPassword() function prior to establishing their own password, the system will provide a password. However, it's essential to clarify that this returned password is not the user's chosen password; rather, it is a default system-generated password. This scenario has the potential to cause user misunderstandings and create confusion.

Vulnerability Details

//DeployPasswordStore.s.sol
function run() public returns (PasswordStore) {
vm.startBroadcast();
PasswordStore passwordStore = new PasswordStore();
@> passwordStore.setPassword("myPassword");
vm.stopBroadcast();
return passwordStore;
}

Impact

function test_set_default_password() public {
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword();
console.log("Actual password: ", actualPassword);
assertEq(actualPassword, "myPassword");
}

Tools Used

Manual review

Recommendations

The deployment script should not include a default password. The system can be deployed with an empty string.

DeployPasswordStore.s.sol script:

function run() public returns (PasswordStore) {
vm.startBroadcast();
PasswordStore passwordStore = new PasswordStore();
- passwordStore.setPassword("myPassword"); //line 11
+ passwordStore.setPassword("");
vm.stopBroadcast();
return passwordStore;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.