Submission Details
Severity:
[H-01] `PasswordStore.setPassword()`: Lack of access control allows anyone to change owners password
Impact
Anyone can change the password of any owners deployed PasswordStore contract due to a lack of access control. This can DoS user from whatever he is trying to access when inputting what he thinks is the correct password, but is not since it has already been changed.
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
Proof of Concept
Add this test in the PasswordStore.t.sol and run forge test --mt test_change_password
function test_change_password() public {
vm.startPrank(owner);
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
string memory actualPassword = passwordStore.getPassword();
assertEq(actualPassword, expectedPassword);
vm.stopPrank()
vm.startPrank(address(1));
string memory attackerPassword = "AttackerPassword";
passwordStore.setPassword(attackerPassword);
string memory actualPassword2 = passwordStore.getPassword();
assertEq(actualPassword2, attackerPassword);
vm.stopPrank()
}
Tools Used
Manual Analysis
Recommendations
Add the following check to setPassword()
function setPassword(string memory newPassword) external {
+ if (msg.sender != s_owner) {
+ revert PasswordStore__NotOwner();
+ }
s_password = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.