First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Literally anyone can read the password.

Testerbot

Summary

Given the public and immutable nature of the blockchain anyone with access to the blockchain can read the password. Don't even need to interact with the PasswordStore.sol contract.

Vulnerability Details

Let's review the setPassword() function including comments:

/*
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

If we check the @param newPassword it states it should be the new password to be set. However we can just check the Input Data from all transactions that call the setPassword() function in the PasswordStore contract.

Impact

Literally anyone can check the password, even for free. Even pay for a www.passwordleaks.com domain, fetch the input from all transactions related to setPassword() function calls in the PasswordStore.sol and show the password to anyone in the internet in a table:

Contract Address Owner Password
0x..t3st 0x....3x4mpl3 password

Tools Used

Manual Review

Recommendations

Encrypt the password off-chain and just store the hash in the PasswordStore.sol contract, retrieve and de-crypt when needed. Otherwise using this contract is pointless.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.