First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Getter Function Reverts

wafflemakr

Summary

Getter Function Reverts

Vulnerability Details

The smart contract PasswordStore.sol contains a problem with getter function at getPassword function whereby the getter function reverts if the sender is not the owner of the contract. Generally, getter functions should not revert but give a default value instead.

Proof of Concept

function test_getter_function_reverts() public {
vm.startPrank(address(1)); // different from owner
vm.expectRevert();
passwordStore.getPassword();
vm.stopPrank();
}

The output is shown below.

forge test --mt test_getter_function_reverts
[⠒] Compiling...
No files changed, compilation skipped
Running 1 test for test/PasswordStore.t.sol:PasswordStoreTest
[PASS] test_getter_function_reverts() (gas: 13118)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 710.29µs
Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

Low Impact (more like QA), as view functions do not modify storage variables.

Tools Used

Manual Review

Recommendations

If the idea is to continue storing password in state (knowing that private variables are still exposed publicly), instead of reverting if msg.sender is not the owner, return an empty string instead.

function getPassword() external view returns (string memory) {
if (msg.sender != s_owner) {
return "";
}
return s_password;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.