setPassword is not restricted
Summary
The setPassword function in the PasswordStore contract has a vulnerability as it lacks a check to verify whether the message sender is the owner. This contradicts the function's documentation, which implies that only the owner can set a new password.
Vulnerability Details
In the setPassword function, there is no validation to ensure that the message sender is the owner. This means that any address can change the password by calling this function.
Impact
The impact of this vulnerability is that it allows unauthorized parties to modify the password stored in the contract, which directly contradicts the intended functionality described in the contract's documentation. This can lead to unauthorized access to sensitive information.
Tools Used
No specific tools were used to identify this vulnerability. It was discovered through manual inspection of the contract and comparing its functionality to its documentation.
Recommendations
To address this vulnerability and align the contract with its intended functionality and documentation, it is mandatory to add a check in the setPassword function to ensure that only the owner can use it's functionality. This can be achieved by modifying the function as follows:
function setPassword(string memory newPassword) external {
require(msg.sender == s_owner, "Only the owner can set a new password.");
s_password = newPassword;
emit SetNetPassword();
}
Better use customer errors for more gas efficiency.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.