Set a access control modifier
Summary
The function lacks access control, allowing anyone to change the password. There is no mechanism to verify the caller's authorization, making it susceptible to unauthorized access.
Vulnerability Details
The function does not validate the incoming password, leaving it exposed to potential malicious or invalid inputs.
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
Impact
It directly sets the password without considering secure practices like hashing or encryption. Storing plaintext passwords on the blockchain is risky.
Tools Used
Manual Review
Recommendations
To secure the setPassword function in a smart contract, you should consider implementing access control to restrict who can call this function. Use modifiers or require statements to check the sender's authorization, e.g., only allowing the owner or a specific role to call the function.
modifier onlyOwner {
require(msg.sender == owner, "Only the contract owner can call this function");
_;
}
function setPassword(string memory newPassword) external onlyOwner {
// Add input validation if needed
s_password = newPassword;
emit SetNetPassword();
}
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.