Lack of Access Control Allows Unauthorized Password Changes in the `PasswordStore` Smart Contract
Summary
This report describes a vulnerability in the PasswordStore contract that allows anyone to set the password for the contract even if they are not the owner. This vulnerability could allow attackers to gain access to the contract and steal funds or potentially denying legitimate users access to their accounts
Vulnerability Details
The vulnerability is due to the fact that the setPassword() function in the PasswordStore contract does not check to see if the caller is the owner of the contract. This means that anyone can call the setPassword() function to set the password for the contract.
Impact
The bug could allow attackers to gain access to the PasswordStore contract and steal funds or potentially denying legitimate users access to their accounts. This could have a number of negative consequences for users including financial loss, identity theft and damage to reputation.
Tools Used
Manual analysis
Recommendations
Restricting the setPassword() function to only be callable by the owner of the contract.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.