Submission Details
Severity:
setPassword() function does not validate password, therefore malicious values can be stored
Summary
The PasswordStore::setPassword() function does not validate the new password value before storing.
Vulnerability Details
@> function setPassword(string memory newPassword) external {
// Check here
s_password = newPassword;
emit SetNetPassword();
}
Malicious or invalid password values could be stored, like empty or too long strings.
Impact
Unintended consequences from storing unexpected password values later. PoC:
function setPassword(string memory newPassword) external onlyOwner {
require(bytes(newPassword).length > 0, "Password is empty");
s_password = newPassword;
emit SetNetPassword();
}
Tools Used
Foundry
Slither
Recommendations
Add validation checks on password like minimum length requirements before storing.
+ require(bytes(newPassword).length > 0, "Password is empty");
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
JCM
almost 2 years ago
inallhonesty
almost 2 years ago
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.