Submission Details
Severity:
The `setPassword` function lacks owner-only access control, allowing anyone to update the password
Summary
No check is performed only to allow the owner of the contract to update the password in setPassword function, so anybody can update the password
Vulnerability Details
Use the proof of code below to verify the vulnerability.
Proof of code
// SPDX-License-Identifier: MIT
import {Test, console} from "forge-std/Test.sol";
import {PasswordStore} from "../src/PasswordStore.sol";
import {DeployPasswordStore} from "../script/DeployPasswordStore.s.sol";
contract PasswordStoreTest is Test {
PasswordStore public passwordStore;
DeployPasswordStore public deployer;
address public owner;
function setUp() public {
deployer = new DeployPasswordStore();
passwordStore = deployer.run();
owner = msg.sender;
}
// Test no other user can set the password
function testOtherUsersCanNotSetPassword() public {
// Sending transaction as an other then owner user.
vm.prank(address(1));
// Expecting revert as no other user should be able to store password.
vm.expectRevert();
passwordStore.setPassword("Password");
}
}
Impact
Anybody can update the password.
Tools Used
Manual analysis
Recommendations
In setPassword function add the following owner-only access control before updating the password.
+ if (msg.sender != s_owner) {
+ revert PasswordStore__NotOwner();
+ }
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.