Improper access control on setPassword() function
Anyone could execute setPassword() and change the owner password with theirs
Unauthorized data change
Manual code review with remediation snippet
Added Modifier to be applied to both getter and setter in order to restrict function execution to the contract owner (creator)
modifier onlyOwner() {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
_;
}
function setPassword(string memory newPassword) onlyOwner external
function getPassword() onlyOwner external view returns (string memory)
So normal code flow execution would continue once "_" is hit.
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.