First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Due to missing access control anyone can call `setPassword` function of `PasswordStore.sol` and can set to a new password.

0x11singh99

Summary

Anyone can call setPassword function and change the password and original password will be deleted. And owner won't be able to access his original password.

Vulnerability Details

Vulnerable Code : src/PasswordStore.sol#L26-L30

26: function setPassword(string memory newPassword) external {
27: s_password = newPassword;
28: emit SetNetPassword();
}

Impact

Anyone can update the password due to missing access control and original password of the owner will be lost and overridden by new malicious password. Which is of no use for contract owner.

Tools Used

Manual

Recommendations

Add access control check in setPassword function so only contract owner can call that. Owner is deployer of the contract.

function setPassword(string memory newPassword) external {
+ if (msg.sender != s_owner) {
+ revert PasswordStore__NotOwner();
+ }
s_password = newPassword;
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

0x11singh99 Submitter
almost 2 years ago
inallhonesty Lead Judge
almost 2 years ago
0x11singh99 Submitter
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.