Submission Details
Severity:
Any External Address can Override Password
Summary
Due to absence of critical validation, Any External Address can Override Password
Vulnerability Details
/*
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
>>> s_password = newPassword;
emit SetNetPassword();
}
As noted in the code above, setPassword(...) is an external function with no validation and can be called by anyone.
Impact
Complete reset of saved password by unauthorized addresses
Tools Used
Manual Review
Recommendations
Critical validation should added to the set function
/*
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
+++ if (msg.sender != s_owner) {
+++ revert PasswordStore__NotOwner();
+++ }
s_password = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.