Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Access Control issue

Summary

Improper access control on setPassword() function

Vulnerability Details

Anyone could execute setPassword() and change the owner password with theirs

Impact

Unauthorized data change

Tools Used

Manual code review with remediation snippet

Recommendations

Added Modifier to be applied to both getter and setter in order to restrict function execution to the contract owner (creator)

modifier onlyOwner() {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
_;
}

function setPassword(string memory newPassword) onlyOwner external
function getPassword() onlyOwner external view returns (string memory)

So normal code flow execution would continue once "_" is hit.

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.