First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Password Exposure in Smart Contract

PTolev

Summary

When a user submits a transaction to save their password, it may be visible to everyone in the transaction's calldata.

Vulnerability Details

In the codebase, the setPassword function is responsible for saving a user's password on the blockchain. However, due to the possibility of non-technically literate users submitting their transactions with unencrypted passwords, a vulnerability exists. This vulnerability allows anyone to view the password directly from the transaction's calldata.

Here's the relevant code snippet:

/**
* @notice This function allows only the owner to set a new password.
* @param newPassword The new password to set.
*/
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

Impact

This vulnerability exposes the user's password to potential eavesdropping by anyone who examines the transaction. This could lead to unauthorized access to the user's account or personal information.

Tool used

Manual Review

Recommended Mitigation

To address this vulnerability, it is crucial to ensure that passwords are not stored in plain text. Additionally, explicit documentation should be provided, especially for users who may not be technically proficient.

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.