First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

PasswordStore

SaudxInu

Summary

Anyone can set the password.
Anyone can read the password.

Vulnerability Details

Anyone can set the password. No access control is present on the solidity setPassword.
Anyone can read the password directly from the storage slot.

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts, where visible mean visible for use.

Anyone can read private functions and state variables.

You can add the following function to solidity PasswordStoreTest and run forge test -vvv.

If you look at the logs you will see that solidity secret_password and solidity retrieved_password are the same.

function test_non_owner_reading_password() public ownerChangePassword {

vm.startPrank(owner);

string memory secret_password = passwordStore.getPassword();

vm.stopPrank();

// If the string is bigger than 32 bytes, in slot 1, length of the string will be stored

// and string will be stored from slot number keccak256(abi.encodePacked(1)) till keccak256(abi.encodePacked(1)) + length - 1.

// So, you need read from those slots and then convert to a string.

// Please refer https://medium.com/@0xZorz/how-to-read-dynamic-arrays-directly-from-storage-using-foundry-bdf5a104b8f6 for more details.

string memory retrieved_password =

string(abi.encodePacked(vm.load(address(passwordStore), bytes32(uint256(1)))));

console.log(secret_password);

console.log(retrieved_password);

// Error - abi.encodePacked is giving different bytes for same string.

// Just try removing keccak256 and logging the results.

// abi.encodePacked(secret_password) -> 0x6d794e657750617373776f7264

// abi.encodePacked(retrieved_password) -> 0x6d794e657750617373776f72640000000000000000000000000000000000001a

assertEq(keccak256(abi.encodePacked(secret_password)), keccak256(abi.encodePacked(retrieved_password)));

}

Impact

Anyone can set the password.
Anyone can retrieve the password.

Tools Used

Foundry

Recommendations

Add access control to solidity setPassword function.

* @notice This function allows only the owner to set a new password.

* @param newPassword The new password to set.

function setPassword(string memory newPassword) external {

if (msg.sender != s_owner) {

revert PasswordStore__NotOwner();

}

s_password = newPassword;

emit SetNetPassword();

}

Use a private key to encrypt the password and store the encrypted password on blockchain.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 2 years ago

inallhonesty Lead Judge about 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-lacking-access-control

Anyone can call `setPassword` and set a new password contrary to the intended purpose.

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.