The setPassword function can be modified by any user
Summary
The setPassword function does not obey the function specification and arbitrary user can update the password.
Vulnerability Details
In the description of setPassword function, there is a limitation that only the owner, s_owner, can set the password. However, the deficiency of authentication leads to critical issue that arbitrary user can modify the password. No corresponding modifiers or statement is provided.
Impact
Since the password can be updated by arbitrary user, the owner of the contract might retrieve distinct password as the he/she stores. It will be a critical issue if the protocol serves as authentication purposes, owner will get incorrect password and leads to unintended behavior.
Tools Used
Manual Review
Recommendations
Make use of openzeppelin Ownable template and initialize the owner at the constructor. Also, mark the setPassword with onlyOwner modifier. If not using oppezeppelin contract, developer should design their own onlyOwner modifier and validate the user when the function is triggered.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.