Submission Details
Severity:
[H-2] Improper Access Control
Summary
No access check in setPassword function.
Vulnerability Details
Any one call the setPassword function and change the value of the s_password variable.
Impact
Anyone can change the password stored inside the contract.
Tools Used
Manual review, Ape.
Recommendations
Add checks to see if the sender is the owner of the password or not
modifier onlyOwner {
require(msg.sender == owner);
_;
}
function setPassword(string memory newPassword) external onlyOwner{
s_password = newPassword;
emit SetNetPassword();
}
// or
// again this can be read from contract storage. better to save sensitive info off-chain
mapping(address => string) Passwords private;
function setPassword(string memory newPassword) external onlyOwner{
Passwords[msg.sender] = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.