Submission Details
Severity:
No access control in the setPassword function
Summary
The "setPassword" function has not access control.
Vulnerability Details
Anyone can interact with the function and set a new password
Impact
High impact cause anybody can set a new password obtaining control of the contract
Tools Used
Manual Review
Recommendations
Create an Only Owner modifier so only the deployer of the contract can set a new password
modifier isOwner() {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
_;
}
and then use it in the "setPassword" function:
function setPassword(string memory newPassword) external isOwner{
...
}
Or use the s_owner variable to ensure that only the owner can set a new password.
function setPassword(string memory newPassword) external {
// Access control: only the owner can use this function
require(msg.sender == s_owner, PasswordStore__NotOwner());
s_password = newPassword;
emit SetNetPassword(); // Assuming SetNetPassword is an event you have defined
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.