Contract's owner is immutable
Summary
In the PasswordStore contract, the owner's address is set during the contract's construction and cannot be changed after deployment. This design choice means that if there is a need to update the owner's address for any reason, a new contract would need to be deployed, which can be inconvenient and less flexible.
Vulnerability Details
The contract initializes the owner's address in the constructor, and this value is immutable once set. Once the contract is deployed to the blockchain, there is no built-in mechanism to update the owner's address. If there is a need to change the ownership, it cannot be achieved within the current contract's design.
Impact
The impact of this issue is that it limits the flexibility and manageability of the contract. If circumstances change and ownership needs to be transferred or updated, it would need a deployment of an entirely new contract. This can be cumbersome.
Tools Used
No tools used. It was discovered through manual inspection of the contract.
Recommendations
To enhance the flexibility and manageability of the contract, consider implementing a mechanism for changing ownership. This could involve adding a function that allows the current owner to transfer ownership to another address. This way, if ownership needs to change in the future, it can be achieved without the need to deploy a new contract. Best practice is to extend the OpenZeppelin's Ownable contract: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.