Password can be changed by anyone, which can cause high loss to individual user
Summary
Password can be changed by anyone, which can cause high loss to individual user
Vulnerability Details
address private s_owner;
-
// @audit owner address should be set to immutable
address immutable private s_owner;// @audit Irrespective of the identifier type, NO SECRET SHOULD BE SAVED ON THE BLOCKCHAIN BECAUSE THE EVM IS PUBLICLY AVAILABLE
string private s_password;
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
-
function setPassword(string memory newPassword) external {
require(msg.sender == s_owner, "Only owner can call this function");
s_password = newPassword;
emit SetNetPassword();
} -
// @audit NO SECRET SHOULD BE SAVED ON THE BLOCKCHAIN BECAUSE THE EVM IS PUBLICLY AVAILABLE
function getPassword() external view returns (string memory) {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
return s_password;
}
Impact
Only the user can change and retrieve the Password as the smart contract promise for the same
Tools Used
Remix
Recommendations
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.