Submission Details
Severity:
Restriction for onlyOwner is not implemented.
Summary
The functionality to restrict the use of setPassword is not implemented.
Vulnerability Details
Any one can change the password. If the password is used somehow on chain, it could lead to a denial of service. If the password is used off chain it can be recovered since the information is public.
POC
// SPDX-License-Identifier: MIT
import {Test, console} from "forge-std/Test.sol";
import {PasswordStore} from "../src/PasswordStore.sol";
import {DeployPasswordStore} from "../script/DeployPasswordStore.s.sol";
contract PasswordStoreTest is Test {
PasswordStore public passwordStore;
DeployPasswordStore public deployer;
address public owner;
function setUp() public {
deployer = new DeployPasswordStore();
passwordStore = deployer.run();
owner = msg.sender;
}
function test_owner_can_set_password() public {
vm.startPrank(owner);
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
}
function test_anyone_can_set_password() public {
vm.startPrank(address(2)); // Not Owner
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
}
}
Impact
Likehood: High
Impact: Depends on the use case of the password.
Tools Used
Foundry
Recommendations
Use Solady´s Ownable.sol contract to effectible restrict the usage of the contract.
// SPDX-License-Identifier: MIT
import {Ownable} from "solady/auth/Ownable.sol";
/*
* @author not-so-secure-dev
* @title PasswordStore
* @notice This contract allows you to store a private password that others won't be able to see.
* You can update your password at any time.
*/
contract PasswordStore is Ownable{
error PasswordStore__NotOwner();
address private s_owner;
string private s_password;
event SetNetPassword();
constructor() {
s_owner = msg.sender;
}
/*
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external onlyOwner{
s_password = newPassword;
emit SetNetPassword();
}
/*
* @notice This allows only the owner to retrieve the password.
* @param newPassword The new password to set.
*/
function getPassword() external view onlyOwner returns (string memory) {
return s_password;
}
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.