Insufficient Authorization Checks in setPassword Function
Summary
The setPassword function in the Solidity code lacks sufficient access control, potentially exposing the contract to unauthorized changes.
Vulnerability Details
The setPassword function enables the contract owner to set a password, and it is externally visible. However, this function lacks access control to verify the caller's identity, making it susceptible to unauthorized access.
As a result, anyone or malicious actors can call it to set a new password, potentially leading to unauthorized changes. While the owner retains the ability to reset the password, malicious actors could exploit this vulnerability by repeatedly setting the password.
Impact
Anyone or malicious actors can call the setPassword function to change the string private s_password variable.
Tools Used
Manual Review
Recommendations
We recommend implementing a strong access control mechanism to ensure that only authorized users can change the password.
Consider using custom modifiers or role-based access control to improve security.
Such as https://docs.openzeppelin.com/contracts/5.x/access-control
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.