Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Invalid

s_owner variable not immutable, therefore it can be changed after deployment

Summary

The PasswordStore::s_owner variable is defined as a private state variable instead of immutable, allowing it to be changed after deployment.

Vulnerability Details

contract PasswordStore {
error PasswordStore__NotOwner();
@> address private s_owner;
string private s_password;

By not defining s_owner as immutable, any address could potentially change the owner value by calling a setter function. This breaks the intended ownership model of the contract.

Impact

Loss of ownership, contracts functions could be exploited by unauthorized actors if owner is changed.
Here PoC:

contract PasswordStore {
error PasswordStore__NotOwner();
@> address immutable public i_owner; //Change
string private s_password;

Tools Used

  • Slither

  • Foundry

Recommendations

Define s_owner as an immutable public variable instead of a private one.

- address private s_owner;
+ address immutable public i_owner;
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other
JCM Submitter
almost 2 years ago
inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.