Submission Details
Severity:
Password can be set to nothing
Summary
Password can be set to nothing
Vulnerability Details
The purpose of the contract is to store a secret password. However, the setPassword function also accepts empty strings as input parameters. In reality, there's no app/website that accepts empty passwords.
POC. Add this test to PasswordStore.t.sol
function test_owner_can_set_empty_password() public {
vm.startPrank(owner);
string memory expectedPassword = "";
passwordStore.setPassword(expectedPassword);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
}
Then call it as:
forge test --match-path test/PasswordStore.t.sol --match-contract PasswordStoreTest --match-test "test_owner_can_set_empty_password"
Result:
Running 1 test for test/PasswordStore.t.sol:PasswordStoreTest
[PASS] test_owner_can_set_empty_password() (gas: 16748)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.94ms
Impact
The password can be set to nothing
Tools Used
Manual review
Recommendations
Add code to setPassword function that enforces non-empty strings
function setPassword(string memory newPassword) external {
if(bytes(newPassword).length == 0)//no empty passwords
revert Empty_Password();
Updates
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.