Submission Details
Severity:
`setPassword()` function can be called by everyone
Summary
The NatSpecs for setPassword() function says:
/*
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
However the funcion setPassword() can be called by everyone, breaking the entire logic and purpose of the PasswordStore contract.
Vulnerability Details
setPassword()function (https://github.com/Cyfrin/2023-10-PasswordStore/blob/main/src/PasswordStore.sol#L26-L29)
/*
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
Impact
Breaking the entire logic and purpose of the PasswordStore contract.
Tools Used
Manual Review
Recommendations
Implement onlyOwner modifier.
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.