First Flight #1: PasswordStore

Summary

The PasswordStore contract emits an event named SetNetPassword() each time a new password is set. This event includes the new password information as one of its parameters. This exposes sensitive data to potential attackers monitoring transactions. A malicious actor could eavesdrop on this event, extract the new password, and potentially compromise the security of the contract.

Vulnerability Details

The vulnerability can be identified via recreating this vector in the following steps:

1. Following the documentation to deploy the contract.

2. Copy the contract address and open RemixIDE.

3. Deploy the PasswordStore at the given address.

4. Set the password using the setPassword function.

By following these steps, you can observe the event emission and its exposure of sensitive data when the function setPassword executtes a close look inside the transaction data logs, the newPassword input will also be logged.

Impact

The impact of this vulnerability is two-fold. Firstly, it exposes sensitive data, compromising the confidentiality of the stored password. Secondly, it could lead to unauthorized access or misuse of the password, depending on the attacker's intentions.

• The potential impact of this vulnerability will vary from medium to high risk, depending on how the exposed data is exploited.

Tools Used

• RemixIDE

• Contract deployment docs

Recommendations

Eliminate the Event:

We must consider removing the SetNetPassword() event from the contract. This event does not appear to bring significant value and exposes sensitive information, making it a potential target for malicious actors. By removing it, we will reduce the risk of event-based attacks and enhance the security of the contract.