First Flight #1: PasswordStore

Summary

The setPassword function in the PasswordStore smart contract lacks access control mechanisms, permitting any external entity to call the function and alter the stored password. This oversight undermines the security and intended functionality of the contract, leading to unauthorized password modifications.

Vulnerability Details

The vulnerability is rooted in the design of the setPassword function within the PasswordStore contract. The function is marked as external, making it callable by any external entity. There's no access control in place, such as a modifier to ensure that only the owner or authorized addresses can call this function and change the password. This design flaw allows any malicious actor to set a new password, compromising the security of the contract.

Impact

This vulnerability is of High severity based on the fact that it provides a direct and straightforward path for unauthorized password modification, which is a fundamental breach of the smart contract's intended functionality.

• Impact on the protocol: Direct impact on the main functionality of the protocol, which is to securely store and retrieve passwords.

• Likelihood of exploitation: Highly probable, as any external entity can call the setPassword function without restrictions.

Tools Used

No specific tools are needed to exploit this vulnerability other than access to interact with the smart contract on the blockchain.

Recommended Mitigation

• Implement Access Control: Employ access control mechanisms to restrict the ability to call the setPassword function only to the owner or authorized addresses. This can be achieved by using modifiers to check the caller's address before executing the function.