Submission Details
Severity:
Lack of access control, any address can call the functions
Summary
No modifiers like onlyOwner are used to restrict functions to only the owner of the address.
Vulnerability Details
@> function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
@> function getPassword() external view returns (string memory) {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
return s_password;
}
Any address can call the functions setPassword() and getPassword() and access the contract state without restrictions.
Impact
Loss of authorization and access control over contract functions and state.
Poc:
modifier onlyOwner();
function setPassword(string memory newPassword) external onlyOwner {
s_password = newPassword;
emit SetNetPassword();
}
function getPassword() external view onlyOwner returns (string memory) {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
return s_password;
}
Tools Used
Slither
Foundry
Recommendations
Add onlyOwner or similar modifiers to restrict functions to only the owner.
+ modifier onlyOwner();
Updates
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.