Submission Details
Severity:
Anyone can change owners password
Summary
setPassword function can be called by anyone. The are no checks ensuring that only owner of this contract can call this function. That means anyone can change owner's password.
Vulnerability Details
Add this function to the PasswordStore.t.sol file and run test.
function test_anyone_can_set_new_password() external {
vm.startPrank(address(1));
string memory expectedPassword = "CodeHawksAreGOAT";
passwordStore.setPassword(expectedPassword);
vm.stopPrank();
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, "CodeHawksAreGOAT");
}
Impact
Owner's secret password can be overriden by anyone.
Tools Used
VScode, Foundry, Ethers
Recommendations
Modify setPassword function in a way that only owner of this contract can call this function. I could look like this:
function setPassword(string memory newPassword) external {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_password = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.