First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Ownership Checks Should Utilize Modifier

nisedo

Vulnerability Details

The getPassword function includes a direct ownership check using the condition:

36 if (msg.sender != s_owner) {

37 revert PasswordStore__NotOwner();

38 }

While this effectively ensures that only the owner can call the getPassword function, similar logic is recommended to be added to the setPassword function as noted in my previous report "No Access Control on setPassword Function". Having the same ownership verification logic in multiple functions leads to redundancy and can make the contract less maintainable. In Solidity, it's best practice to use a modifier for common checks like ownership verification, ensuring that the logic is defined in one place and can be easily applied to multiple functions.

Impact

Low. While the current implementation does not introduce a direct security vulnerability, it makes the contract less maintainable and more prone to errors in the future. If the ownership logic needs to be updated or if more functions are added that require the same check, having the logic spread out in multiple places increases the risk of inconsistencies or oversight.

Recommendations

Create an onlyOwner modifier in the contract that encapsulates the ownership check and the associated revert logic. For example:

16 event SetNetPassword();

+ modifier onlyOwner() {

+ if (msg.sender != s_owner) {

+ revert PasswordStore__NotOwner(msg.sender);

+ }

+ _;

+ }

25 constructor() {

Apply this onlyOwner modifier to the getPassword function, and any other functions that require owner-only access, including the recommended modification to setPassword.

- function setPassword(string memory newPassword) external {

+ function setPassword(string memory newPassword) external onlyOwner {

...

- function getPassword() external view returns (string memory) {

+ function getPassword() external view onlyOwner returns (string memory) {

By using the modifier, the code becomes cleaner, more maintainable, and less error-prone. Ensure that all functions that require owner-only access consistently use this modifier, making the contract's security posture clearer and more robust.

Updates

Lead Judging Commences

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.