First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can set the password in the `PasswordStore` contract

sobieski

Summary

The documentation states that only the PasswordStore contract's owner should be able to set the password stored in the contract. However, this fundamental requirement is not satisfied - anyone can set the password as the setPassword() method lacks any protection.

Vulnerability Details

The variable s_password can be set using the setPassword method, which is shown below.

/*
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

There is no check if the caller is s_owner, therefore anyone can successfully call this method and set the s_password variable to any string.

Impact

Anyone can overwrite the currently saved password.

Tools Used

Manual review

Recommendations

Add the check if the msg.sender is s_owner in the setPassword() method.

/*
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
+ if (msg.sender != s_owner) {
+ revert PasswordStore__NotOwner();
+ }
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!