Unrestricted Access to setPassword Function
Summary
The setPassword function lacks access control mechanisms, allowing any address to call it and change the password. This function should be restricted to ensure that only the owner can change the password.
Vulnerability Details
Deploy the contract on a test network like Rinkeby or use a local Ethereum environment like Ganache.
Use a different address (not the owner) to call the setPassword function with a new password.
Verify that the transaction is successful and the password is changed without any restriction, even though the caller is not the owner.
Impact
This vulnerability allows any malicious actor to change the password, completely bypassing the contract's intended logic and potentially locking the legitimate owner out of their account/contract.
Tools Used
Manual Review
Recommendations
Implement access controls to restrict the setPassword function to the owner using modifiers like onlyOwner.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.