- High: 2
- Medium: 0
- Low: 1
https://github.com/Cyfrin/2023-10-PasswordStore/blob/main/src/PasswordStore.sol#L14
Storing sensitive information directly on-chain poses significant privacy and security risks.
The PasswordStore contract saves passwords, s_password, in a storage slot within the contract. This data is stored on-chain, essentially making it public information. Tagging the passwords as private only prevents other smart contracts from viewing the s_password value, not the rest of the world.
Passwords stored on-chian are not secret and can be read and used by anyone.
Manual Review
Salt & Hash. Do not store plain text passwords on-chain. Instead create a unique salt for each password. Hash the salt and the password, store and use that result to verify passwords.
https://github.com/Cyfrin/2023-10-PasswordStore/blob/main/src/PasswordStore.sol#L23-#L28
Critical setPassword Function Lacks Access Control
Per the developer's notes, the setPassword function is intended to be callable only by the owner. However, this function currently lacks any access control checks, making it callable by anyone.
Anyone can change the password.
Manual review
- Create an
onlyOwnermodifier and use it on functions that should be callable only by the owner.
modifier onlyOwner() {
if (owner() != _msgSender()) {
revert PasswordStore__NotOwner();
}
_;
}
-
Consider utilizing OpenZeppelin's
Ownablecontract, which already provides theonlyOwnermodifier. -
Use the same logic in the
getPasswordfunction within thesetPasswordfunction.
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
https://github.com/Cyfrin/2023-10-PasswordStore/blob/main/src/PasswordStore.sol#L16
Typo Of Event Name
The event SetNetPassword should likely be SetNewPassword.
Developer confusion
Manual review
Change SetNetPassword to SetNewPassword