First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Ethereum blockchain transparency allows anyone to view the stored password in cleartext

Andrew

Summary

Since the Ethereum blockchain is transparent and openly accessible, sensitive information cannot be stored securely in cleartext.

Vulnerability Details

The PasswordStore contract is noted to specifically allow you to "...store a private password that others won't be able to see." As the Ethereum blockchain is transparent and accessible by anyone, any password that gets stored using setPassword will be publicly visible.

An example of how this can be exploited is provided below:

Deploy the PasswordStore contract to a public blockchain. For this example, I deployed it to the Sepolia testnet with the address 0x7408CFA4Eb94Cb29bf894CB58D352bc2D1F55ABA, which can be found through this Etherscan link.
Call setPassword. For this example, I've provided the value "Password" as the string parameter to store in s_password. This transaction can be viewed through this Etherscan link.
The encoded input data for this transaction is openly available for anyone to see, which in this case reads: 0x290bb4530000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000850617373776f7264000000000000000000000000000000000000000000000000.
This input data can then be decoded directly on etherscan, which provides the following output:

Name	Type	Data
newPassword	string	Password

The end result is the password "Password" being available in cleartext for anyone to access.

Impact

The goal of PasswordStore is to securely store a private password. Once deployed on the Ethereum blockchain, no password stored in the contract can be considered private or secure due to the transparent nature of the blockchain. This results in the PasswordStore contract being unusable for its intended purpose.

Tools Used

Manual analysis, Etherscan, Remix

Recommendations

The preferred solution would be to store the private password off-chain, ideally with a trusted open-source and locally-hosted password manager. If the password must be stored on-chain, it should first be encrypted locally (and later decrypted locally once retrieved from PasswordStore by calling getPassword) with the understanding that the encrypted password stored on-chain will be publicly accessible to anyone.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 2 years ago

inallhonesty Lead Judge about 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.