First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can set/reset owner's password

0xrex

Summary

Any third party can just set/reset the password of the contract irrespective of whether or not they're the owner of the password store contract

Vulnerability Details

The setPassword function is vulnerable in the sense that it lacks access control checks that should enforce that only the owner/owner's address can call and set a password.

function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

Impact

With this vulnerability, the owner will probably always end up seeing a new password has been set every once in a while by others after they've initially set one themselves.

Tools Used

Manual review

Recommendations

Enforce access control in the setPassword function like you did with the getPassword function

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

0xrex Submitter
almost 2 years ago
inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.