Submission Details
Severity:
newPassword can be an empty string
Summary
The PasswordStore::setPassword() function accepts an empty string as input, allowing the user to store a non-password value. While this behaviour doesn't lead to unexpected outcomes, it doesn't align with the purpose of a password storage to store an empty password.
Vulnerability Details
function setPassword(string memory newPassword) external {
@> s_password = newPassword;
emit SetNetPassword();
}
Impact
function test_can_set_empty_password() public {
vm.startPrank(owner);
string memory actualPassword = "";
passwordStore.setPassword(actualPassword);
console.log("Actual password: ", actualPassword);
assertEq(actualPassword, "");
}
Tools Used
Manual review
Recommendations
Add a checks in the PasswordStore::setPassword() function that reverts in case the password is an empty string.
function setPassword(string memory newPassword) external {
+ if (keccak256(abi.encodePacked(newPassword)) == keccak256(abi.encodePacked(""))){
+ revert SetNewPassord_EmptyPasswordNotAllowed();
+ }
s_password = newPassword;
emit SetNetPassword();
}
Updates
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.