First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Use Password Hashing for Improved Security

atoko

Summary

While you are storing the password as a private variable note that all blockchain transactions are public and visible to the people

Vulnerability Details

The password is stored as a private variable this will make it vulnerable to unauthorized access

Impact

since all transactions are visible to the blockchain our password will be visible to the public and this will make our contract vulnerable

Tools Used

manual analysis

Recommendations

you should consider implementing password hashing to store a hashed password instead and update our getPassword to verify the get password before retrieval. Below is how i would implement the password first

error Password_Incorrect();
bytes32 public s_passwordHash;

set the password on deployment that means you do it on the constructor as below

constructor(bytes32 passwordHash) payable {
s_passwordHash = passwordHash;
}

now that you set the password on deployment your get password should look like below so it checks the hash before revealing the password

function getPassword(string memory password) external onlyOwner returns (bytes32) {
if(keccak256(abi.encodePacked(password)) == s_passwordHash) {
return s_passwordHash;
} else {
revert Password_Incorrect();
}
}

please note that we are using only owner for additional security to ensure only the owner is able to get the password

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.