setPassword have no requirement
Summary
The function setPassword dose not implement any check to ensure only the contract owner is allowed to set the password.
Vulnerability Details
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
as shown the function is external so anyone can call the function and since no checks are implemented any string provided
by a malicious actor will be set as the s_password opposed to the intended contract logic
Impact
type of vulnerability : Logic error
How easy is it to exploit the vulnerability : anyone can
Tools Used
manual inspection
Recommendations
the function can implement check for owner as follow :
function setPassword(string memory newPassword) external {
// Require that the sender is the owner of the smart contract.
require(msg.sender == s_owner);
// Set the new password.
s_password = newPassword;
// Emit the SetNetPassword event.
emit SetNetPassword();
}
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.