Submission Details
Severity:
s_owner variable not immutable, therefore it can be changed after deployment
Summary
The PasswordStore::s_owner variable is defined as a private state variable instead of immutable, allowing it to be changed after deployment.
Vulnerability Details
contract PasswordStore {
error PasswordStore__NotOwner();
@> address private s_owner;
string private s_password;
By not defining s_owner as immutable, any address could potentially change the owner value by calling a setter function. This breaks the intended ownership model of the contract.
Impact
Loss of ownership, contracts functions could be exploited by unauthorized actors if owner is changed.
Here PoC:
contract PasswordStore {
error PasswordStore__NotOwner();
@> address immutable public i_owner; //Change
string private s_password;
Tools Used
Slither
Foundry
Recommendations
Define s_owner as an immutable public variable instead of a private one.
- address private s_owner;
+ address immutable public i_owner;
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
JCM
about 2 years ago
inallhonesty
about 2 years ago
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.