First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone Can Change The Password

kose

Summary

Anyone can change password before or after owner sets it's password.

Vulnerability Details

setPassword() function does not have any check for who is calling it, hence it is callable by anyone. So anyone can change the password just by calling aforementioned function, which disrupts the whole point of smart contract.

POC: Add this function to PasswordStore.t.sol and run "forge test --match-test test_non_owner_can_change_password"

function test_non_owner_can_change_password() public {
vm.startPrank(owner);
string memory ownersPassword = "myFirstPassword";
passwordStore.setPassword(ownersPassword);
vm.stopPrank();
vm.startPrank(address(1));
string memory maliciousPassword = "maliciousPassword";
passwordStore.setPassword(maliciousPassword);
vm.stopPrank();
// We changed prank to owner because only owner can use getPassword() function
vm.startPrank(owner);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, maliciousPassword);
}

Impact

Because of this bug, the protocol loses its whole purpose, because the password's should not be changeable by anyone other than owner.

Tools Used

Manual Review

Recommendations

Add owner check for setPassword() function as done in getPassword() like below:

if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.