First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Password can be set by anyone

serialcoder

Summary

Anyone can execute the setPassword() to set the new password due to the lack of access control.

Vulnerability Details

The setPassword() lacks proper access control, allowing anyone to invoke it to set the new password. Consequently, the contract owner's password will be overwritten.

@> function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

https://github.com/Cyfrin/2023-10-PasswordStore/blob/856ed94bfcf1031bf9d13514cb21b591d88ed323/src/PasswordStore.sol#L26

Impact

The contract owner's password will be overwritten. Therefore, they will lose their password.

Tools Used

Manual Review

Recommendations

Apply the onlyOwner modifier to the setPassword() like the below snippet. Only the contract owner will be able to set the new password.

- function setPassword(string memory newPassword) external {
+ function setPassword(string memory newPassword) external onlyOwner {
s_password = newPassword;
emit SetNetPassword();
}
+ modifier onlyOwner() {
+ if (msg.sender != _owner) {
+ revert NotOwner(msg.sender);
+ }
+ _;
+ }
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.