First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

s_password can be read on the blockchain

kiteweb3

Summary

All data stored on-chain is readable. Despite the PasswordStore::s_password variable being defined as private, its value can still be read on-chain because it is stored without encryption. This means that all the passwords, even those intended to be private, are accessible. Anyone can read the stored password, potentially compromising the security of the system where the password is used.

Vulnerability Details

function setPassword(string memory newPassword) external {
@> s_password = newPassword;
emit SetNetPassword();
}

Impact

Actors:

  • Attacker: Anyone.

  • Victim: The owner of the system.

Working Test Case:

  • Go on https://sepolia.etherscan.io/ and enter a PasswordStore contract address (for example 0xF9d459e6BBA01ee4fF6a68aA9F0284aEdf0C8047)

  • Open a tx with Set Password method (for example: https://sepolia.etherscan.io/tx/0x8593641cb28d9b0b3bf7f704309a351e9d947bae19044330e23d14b1036842d4)

  • Access the Input data in the More Details section. Using the Decode Input Data button will show the stored password.

Tools Used

Manual review

Recommendations

To mitigate this vulnerability, it is recommended to encrypt the password before storing it on the chain. This will ensure that even if the data is read, the actual password will not be immediately visible.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.