Submission Details
Severity:
onlyOwner modifier should be considered for setPassword
Summary
Since the function setPassword states that only the owner has to be able to set a password, it would be sufficient to add onlyOwner modifier to it.
Vulnerability Details
As stated in the documentation, password should be set by owner only, so this vulnerability makes it possible to anyone to set it.
Impact
Password might be set by any user.
Tools Used
Manual codebase analysis.
Recommendations
- function setPassword(string memory newPassword) external {
+ modifier onlyOwner() {
+ require(msg.sender == owner, "Not owner");
+ _;
+ }
+ function setPassword(string memory newPassword) onlyOwner external {
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
damoklov
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.