Summary

setPassword function is not protected by any access control mechanism. Any user can call this function and change the password of the contract.

Vulnerability Details

The setPassword function lacks any access control safeguards, allowing any user to invoke it and alter the contract's password. This presents a critical concern since the contract's operational rules dictate that only the contract owner should be able to modify or access the password. To address this security vulnerability, it is imperative to introduce a validation mechanism within the setPassword function that ensures only the contract owner can make password changes, thus mitigating the risk of unauthorized access to this function.

Impact

This is a high severity issue as the business logic of the contract requires that only the owner of the contract can change the password or retrieve it.

Tools Used

manual review

Recommendations

Add a check in the setPassword function to ensure that only the owner of the contract can change the password to prevent unauthorized access to this function.