Unrestricted Access to `setPassword` Function
Description
The setPassword function allows the contract owner to update the password stored in the contract. However, the function lacks a modifier or a condition to check that the caller (msg.sender) is the contract owner. This omission allows any Ethereum address to call setPassword and change the password, which directly violates the contract's intended access control and functionality.
Code Snippet
Impact
This issue is categorized as High/Critical severity due to the following impacts:
The absence of access control on the setPassword function allows any Ethereum address to change the password.
Once an unauthorized address changes the password, the legitimate contract owner loses access to their stored password, which severely violates the contract's core functionality.
The contract's main purpose is compromised, and the integrity and security of the stored password are completely undermined.
Tools Used
Recommendations
Implementing an access control check in the setPassword function to ensure that only the contract owner can change the password is crucial. This can be done by adding a modifier or a condition to check that msg.sender equals s_owner. Here's a suggested fix:
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.