First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-1]No access control on the setPassword function

0x0bservor

Summary

The contract is designed to let only the owner to store a private password but currently the setPassword function doesn't have any access control, enabling anyone to overwrite it.

Vulnerability Details

The setPassword function doesn't have any checks looking to see if the caller is the owner of the contract. This makes it so that anyone could call this function and are able to set the password.

Proof of concept:

  1. Deploy the contract using Account1 as the owner.

  2. The owner then calls the setPassword and set a new password.

  3. Switch to the attackers side Account2.

  4. Call the setPassword function using Account2 and set a new password.

  5. The results should be the password set by the attacker proving the issue at hand.

Impact

The impact of this vulnerability is high and the likelihood is high as well.

Tools Used

Manual Review

Recommendations

Implementing a check to see if the caller is the contract owner should be implemented such as:

function setPassword(string memory newPassword) external {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.