2 issues in code
Summary
There are 2 problems in the code.
1.The setPassword function does not detect the owner. Anyone can change the owner's password.
2.Although s_owner and s_password are private, because these data are on the chain, anyone can see the contents of s_owner and s_password through some tools, such as foundry's cast.
Vulnerability Details
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
setPassword has no check on owner.
address private s_owner;
string private s_password;
s_owner and s_password use private visibility.
Everything that is inside a contract is visible to all observers external to the blockchain. Making something private only prevents other contracts from reading or modifying the information, but it will still be visible to the whole world outside of the blockchain.
Impact
High Risk
Recommendations
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.