The PasswordStore::s_owner
variable is defined as a private state variable instead of immutable, allowing it to be changed after deployment.
By not defining s_owner as immutable, any address could potentially change the owner value by calling a setter function. This breaks the intended ownership model of the contract.
Loss of ownership, contracts functions could be exploited by unauthorized actors if owner is changed.
Here PoC:
Slither
Foundry
Define s_owner
as an immutable public variable instead of a private one.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.