Submission Details
Severity:
Private variables can be accessed easily outside of the blockchain
Summary
s_owner and s_password can be easily accessed despite the private variables. A simple script such as the one shared below would be able to access the variables, resulting in the password being exposed
Vulnerability Details
Simple script to access private variables:
const {ethers,utils } = require("ethers");
const rpc_url = "https://eth.g.alchemy.com/v2/abcd" //add your rpc_url here
const provider = new ethers.providers.JsonRpcProvider(rpc_url)
async function start() {
const contract_address = //add contract address here
const slot = // add the storage slot of contract you want to access
const data = await provider.getStorageAt(contract_address, slot)
console.log("Private Data :", data)
Impact
s_password can be accessed invalidating the use of this contract
Tools Used
Hardhat
Recommendations
Do not store passwords on the blockchain
Updates
Lead Judging Commences
inallhonesty about 2 years ago
Submission Judgement Published Assigned finding tags:
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.