Submission Details
Severity:
No authorization on setPassword(), therefore anyone can set the password
Summary
The PasswordStore::setPassword() function does not check that msg.sender is the owner before updating the password.
Vulnerability Details
@> function setPassword(string memory newPassword) external {
// Authorization missing after function call
s_password = newPassword;
emit SetNetPassword();
}
Any address can call setPassword() and change the stored password without being the owner.
Impact
Loss of password security and control, stored password can be changed by unauthorized addresses.
PoC:
function setPassword(string memory newPassword) external {
require(msg.sender == i_owner, "Caller is not the owner");
s_password = newPassword;
}
Tools Used
Foundry
Slither
Recommendations
Add an authorization check that msg.sender must equal the owner before updating the password.
function setPassword(string memory newPassword) external {
+ require(msg.sender == i_owner, "Caller is not the owner");
s_password = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.