Submission Details
Severity:
Password Length
Summary
Password must not be empty and must be at least Eight characters in length.
Vulnerability Details
function setPassword(string memory newPassword) external {
// no check for determining password length.
s_password = newPassword;
emit SetNetPassword();
}
## Impact
Let's say if owner omits to pass a password argument or pass a password argument of length zero then in future when owner will try to retrieve password, Eventually owner will get an empty string as password. Owner will get confused and will start thinking what the last memorized password was???
It's also important to force owner to set a strong password at least 8 characters in length.
It can also lead to storage wastage.
## Tools Used
Manually Hunted.
## Recommendations
As we know we can calculate a string's length by typecasting it to `bytes`. We can implement a check as shown below to assure password's length.
There should also have a check which can enforce owner to choose a strong password. For example... Please select a password that contains at least one special character, one digit, one lowercase english alphabet, one uppercase english alphabet.
```solidity
error PasswordStore__PasswordMustBeAtLeastEightCharsLength(uint256 passwordLength);
// statement
// statement
//...
if (bytes(newPassword).length < 8) {
revert PasswordStore__PasswordMustBeAtLeastEightCharsLength(bytes(newPassword).length);
}
Updates
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.