Submission Details
Severity:
Attacker can change the password
Summary
Anyonce can change the password
Vulnerability Details
setPassword doesn't check if the msg.sender is the owner of the store. Anyone can call this function and update the password.
contract BadContract{
function hackPassword(string memory newPassword) external {
passwordStore = PasswordStore(0x123123);
passwordStore.setPassword(newPassword);
}
}
Impact
Password can be changed by anyone. Victim's storage will be violated and they won't be able to retrieve the true password.
Recommendations
Validate that msg.sender is the owner of the store, just like in getPassword. It's better to move that logic into modifier onlyOwner so that code could be reused.
modifier onlyOwner() {
require(msg.sender == s_owner, "PasswordStore: Not Owner!");
_;
}
function setPassword(string memory newPassword) external onlyOwner {}
function getPassword() external view returns onlyOwner (string memory) {}
Updates
Lead Judging Commences
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.