First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing access control on `setPassword` method

0x4non

Summary

The PasswordStore contract exposes critical vulnerabilities related to access control and confidentiality of data. Specifically, the setPassword function lacks appropriate access control, and the password is exposed in the transaction's calldata which is publicly visible in the mempool.

Vulnerability Details

Access Control Issue: The setPassword function is designed to set a new password for the contract. However, there is no access control mechanism in place to restrict this action to the contract's owner. As a result, any Ethereum user can call this function to overwrite the password.
Mempool Exposure: When a transaction is sent to the Ethereum network, its calldata is stored in the mempool before it is included in a block. Since the mempool is public, malicious actors can inspect it to see the calldata of the setPassword function, thereby obtaining the plaintext password even before the transaction gets mined.

Impact

Any external actor can change the password without the owner's consent, leading to potential unauthorized access.
Password confidentiality is compromised as it can be seen by anyone monitoring the mempool, making the stored password effectively public.

Tools Used

Manual code review

Recommendations

Implement an access control mechanism in the setPassword function to ensure that only the contract's owner can change the password.
Consider encrypting the password before sending it to the contract, or avoid storing sensitive information on-chain altogether.

Updates

Lead Judging Commences

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.