Submission Details
Severity:
function setPassword() not checking who the caller is allows anyone to change the password
Summary
The 'PasswordStore::setPassword()' function does not check who is calling it.
Vulnerability Details
As said in the function @notice, the setPassword() function should allow only the owner to set a new password.
But the function doesn't not check who is calling it.
Impact
Anyone can set a new password. The owner would not know what the new password would be.
Tools Used
VS code
Recommendations
Ensure that only the owner can call the setPassword() function.
By setting a condition.
function setPassword(string memory newPassword) external {
+ if (msg.sender != s_owner) {
+ revert PasswordStore__NotOwner();
+ }
s_password = newPassword;
emit SetNetPassword();
}
Or by using the 'onlyOwner' modifier:
// SPDX-License-Identifier: MIT
pragma solidity 0.8.18;
+ import "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol";
- contract PasswordStore {
+ contract PasswordStore is Ownable {
- function setPassword(string memory newPassword) external {
+ function setPassword(string memory newPassword) external onlyOwner {
s_password = newPassword;
emit SetNetPassword();
}
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.