First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Storage of Plain-Text Passwords

0xtheblackpanther

Summary

In the PasswordStore contract, the setPassword function stores plain-text passwords, which is a severe security risk.

Vulnerability Details

The PasswordStore contract's setPassword function stores passwords in plain text, posing a severe security risk due to potential unauthorized access and data breaches.

Impact

Storing plain-text passwords in the setPassword function of the PasswordStore contract poses a significant security risk.

Tools Used

  • Foundry

  • Manual testing

Recommendations

Secure hashing and salting should be implemented to protect user data.

-function setPassword(string memory newPassword) external {
- s_password = newPassword;
- emit SetNetPassword();
-}
+function setPassword(string memory newPassword) onlyOwner external {
+ s_passwordHash = keccak256(abi.encodePacked(newPassword, salt));
+ emit SetNetPassword();
+}
Make sure to define `bytes32 private salt;` and assign `salt = Random.generateRandomBytes32();` in constructor and for Random use `import "@openzeppelin/contracts/utils/cryptography/Random.sol";`
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Other
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.