Submission Details
Severity:
High01: malicious user can set password cause there's no access control
Summary
Malicious user can set password cause there's no access control...
Vulnerability Details
On setPassword function there's no access control so it can be easly manupilated...
Test case below
address malicious_actor=makeAddr("malicious_actor");
function test_maliciouseUser_can_change_password() public{
string memory forged_password= "notMyNewPassword";
vm.startPrank(malicious_actor);
passwordStore.setPassword(forged_password);
vm.stopPrank();
vm.startPrank(owner);
assertEq(passwordStore.getPassword(),forged_password);
vm.stopPrank();
}
Impact
Loss of password which has been set by owner.
Tools Used
foundry test
Recommendations
Access control can be set but still it wont be viable way to store sensitive password cause of the public nature
of the blockchain
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.