Submission Details
Severity:
Unrestricted access to core functions
Summary
Suppose only owner can change the password. The function is not restricted, anyone can call to change the password
Vulnerability Details
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
The setPassword() function decalre as external method, it is unrestricted, can be call by EOA or other contract.
Impact
Anyone can change the s_password.
Recommendations
modifier onlyOwner() {
if(msg.sender != s_owner) revert ("Not owner");
_;
}
function setPassword(string memory newPassword) external onlyOwner{
s_password = newPassword;
emit SetNetPassword();
}
Add a modifier that detect the msg.sender, revert transaction if caller not contract owner.
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.