missing owner authorization in `setPassword` function leads to unauthorized password modification
Summary
The PasswordStore contract allows any user, not just the owner, to modify the stored password. This is due to the absence of an owner check in the setPassword function.
The primary purpose of the PasswordStore contract is to allow the owner to securely store and manage a password. However, the current implementation does not restrict the modification of the password to the owner, allowing any external actor to change it.
Vulnerability Details
In the setPassword function, there is no check to verify if the caller (msg.sender) is the owner of the contract. As a result, any Ethereum address can call this function and overwrite the stored password.
Impact
This vulnerability compromises the main functionality of the contract. Malicious actors can overwrite the password, rendering the contract useless for its intended purpose. Additionally, there's a risk of front-running attacks where attackers can change the password before the owner's transaction is mined.
Tools Used
Manual code review
Recommendations
Add an owner check at the beginning of the setPassword function using the require statement.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.