First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing Access Control in setPassword Function

m1nd0v3rfl0w

Summary

This report identifies a vulnerability in the setPassword function of the "PasswordStore" smart contract. The issue arises from the absence of access control checks, allowing anyone to set the password without proper authorization.

Vulnerability Details

  • Contract Name: PasswordStore

  • Function Affected: setPassword(string memory newPassword)

  • Description: The setPassword function does not include a require statement or access control check, enabling unauthorized users to change the stored password. This oversight could potentially compromise the integrity of the password management system.

function setPassword(string memory newPassword) external --> No access control implemented
{
s_password = newPassword;
emit SetNetPassword();
}

Impact

  • Unauthorized users can change the stored password, potentially compromising the security of the data.

Tools Used

  • No specific tool used. Vulnerability identified using manual code review.

Recommendations

  • Add an access control modifier (e.g., "onlyOwner") to the setPassword function, ensuring that only the contract owner (the address that deployed the contract) can change the password.

function setPassword(string memory newPassword) external {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!