First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

setPassword function should check to see if caller is the owner otherwise a non-owner can call the function

daryletan

Summary

The PasswordStore::setPassword function should check to see if the caller of the function is also the owner of the contract.

Vulnerability Details

An attacker can call setPassword and change the password.

function setPassword(string memory newPassword) external {
@> /* should check to see if the caller is the owner */
s_password = newPassword;
emit SetNetPassword();
}

Impact

Can change the password and impact the protocol's main functionality

Tools Used

Foundry

Recommendations

setPassword should use the same condition and revert method as the getPassword function.
``Diff

  • function setPassword(string memory newPassword) external {
    if (msg.sender != s_owner) {
    revert PasswordStore__NotOwner();
    }
    s_password = newPassword;
    emit SetNetPassword();
    }

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

daryletan Submitter
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.