First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can see what the password is

lealcodes

Summary

Just because a variable on a smart contract is labeled private it does not mean it can't be accessed. Someone can simply look at the storage slots of the deployed PasswordStore.sol contract and get the password.

Vulnerability Details

to illustrate this vulnerability first we can run make anvil to create a blockchain locally.

then on a new terminal we can deploy the contract using make deploy then run cast storage "contract address"

the last command will output the following:

| Name | Type | Slot | Offset | Bytes | Value | Contract |
|------------|---------|------|--------|-------|-------------------------------------------------------------------------------|-------------------------------------|
| s_owner | address | 0 | 0 | 20 | 1390849295786071768276380950238675083608645509734 | src/PasswordStore.sol:PasswordStore |
| s_password | string | 1 | 0 | 32 | 49516443757395204518384437876896412918898210405993719258753982441762571943956 | src/PasswordStore.sol:PasswordStore |

As it can be seen by the table above a value is given for the s_password variable, converting that into hexadecimal we get: 6D7950617373776F7264 and then converting that into a string we get: myPassword

Impact

This issue has been listed as High, since anyone can see the value of s_password

Tools Used

Foundry & Manual Review

Recommendations

Store your password off-chain. Nothing on the blockchain is private.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.