no access restriction, any account can create its own Vault which may be intended but confirm requirements
no access restriction, any account can create its own Vault which may be intended but confirm requirements
Description
set_secret functionhas no access restrictions on creating the vault.
Recommended Mitigation
Add the access control, either to onlyOwner or verified user to create the vault
Lead Judging Commences
Anyone can call `set_secret` function
In Move for Aptos, the term "owner" refers to a signer, which is a verified account that owns a given resource, has permission to add resources and the ability to grant access or modify digital assets. Following this logic in this contest, the owner is the account that owns `Vault`. This means that anyone has right to call `set_secret` and then to own the `Vault` and to retrieve the secret from the `Vault` in `get_secret` function. Therefore, this group is invalid, because the expected behavior is anyone to call the `set_secret` function.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.