Submission Details
Severity:
Everyone can set new password.
Summary
The password of the contract can be set by any user.
Vulnerability Details
The setPassword function is used to set new password. However this function lacks access control and anyone can call it and set new password.
Impact
Password can be changed by anyone.
Tools Used
Manual Review, Foundry
Proof of Concept
Add the following test case to the PasswordStore.t.sol:
function test_user_can_change_password() public {
vm.startPrank(address(1));
passwordStore.setPassword("changedPassword");
vm.startPrank(owner);
string memory newPassword = passwordStore.getPassword();
assertEq(newPassword, "changedPassword");
}
[PASS] test_non_owner_reading_password_reverts() (gas: 11213)
[PASS] test_owner_can_set_password() (gas: 22163)
[PASS] test_user_can_change_password() (gas: 22191)
Recommendations
Add access control to setPassword, for example:
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.