First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Non owner can set password

rocknet

Summary

Function setPassword comment says the function only allows the owner to set the password, but there is no owner check in the function, allowing anyone to set the password.

There is no test covering the expectation of a revert when a non-owner calls setPassword.

Vulnerability Details

Anyone with the contract address would be able to set the content of s_password, which is contrary to the intent of the function. Further, it would overwrite the value stored in s_password, which would prevent the owner from retrieving what they stored.

Impact

The contract doesn't live up to what it says.

Tools Used

Wrote a Foundry test after reading the comment on the function. Test fails:

function test_non_owner_cannot_set_password() public {
vm.startPrank(address(1));
string memory expectedPassword = "myNewPassword";
vm.expectRevert(PasswordStore.PasswordStore__NotOwner.selector);
passwordStore.setPassword(expectedPassword);
}

Recommendations

Add owner check to setPassword, like there is in getPassword. Write a test covering the non owner setting password case, like there is for testing non owner reading the password.

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.