Submission Details
Severity:
No check for setPassword
Summary
No authentication control in the setPassword() function.
Vulnerability Details
Password can be changed thanks to
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
Impact
Anyone can overwrite/modify the password.
Tools Used
Foundry cast :
cast send <CONTRACT_ADDRESS> "setPassword(string memory)" test --private-key $PRIVATE_KEY
Recommendations
Add a modifier to verify the owner address:
modifier onlyOwner() {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
}
function setPassword(string memory newPassword) external onlyOwner() {
s_password = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.