First Flight #1: PasswordStore

Summary

The PasswordStore smart contract, as described in the README, intends to allow any user to store their password and retrieve it later. However, the current implementation does not support multiple users. If multiple users try to set their passwords, the last password will simply overwrite the previous one.

Vulnerability Details

The contract uses a single s_password string variable to store the password. When any user invokes the setPassword function, it updates this singular variable. This means that if another user sets their password after someone else, the previous user's password is lost.

The ideal approach to achieve the described functionality from the README would be to use a mapping that maps each user's address to their stored password. This way, each user has a unique slot in the contract where their password is stored, and one user setting their password won't affect another user's stored password.

Impact

In the current implementation:

1. Users can unintentionally overwrite other users' passwords.

2. Users cannot securely store their individual passwords.

3. The contract doesn't deliver on its promised functionality as per the README.

Tools Used

Standard Solidity analysis and manual code review.

Recommendations

1. Replace the singular s_password variable with a mapping, like mapping(address => string) private passwords;.

2. Modify the setPassword function to set the password for msg.sender in the mapping: passwords[msg.sender] = newPassword;.

3. Modify the getPassword function to retrieve the password for msg.sender from the mapping.

4. Ensure proper access controls and checks, so that only the address that set a password can retrieve it.