First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

getPassword should emit an event

happyformerlawyer

Summary

getPassword should emit an event so that the contract's owner has a record of every time the function was called. Normally I think you only emit events for state changes but when you are dealing with something as sensitive as a password, I think it's worth knowing whenever someone has accessed it. You do have a limitation that only the owner can call getPassword, but what if someone accesses your private keys and uses them to find out your (unencrypted) password.

Vulnerability Details

getPassword does not emit an event:

function getPassword() external view returns (string memory) {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
return s_password;
}
}

Impact

Someone could access your password and you wouldn't know since no event is emitted.

Tools Used

Manual review

Recommendations

Add an event:

event PasswordRetrieved(uint256 timestamp);

Then modify the getPassword function:

function getPassword() external view returns (string memory) {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
return s_password;
emit PasswordRetrieved(block.timestamp)
}

Consider also using a blockchain notification app to get a notification of the emission of all events for this contract.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.