First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Missing multiple user functionality

crypt0mate

Summary

according to the README.md ** ...Users should be able to store a password and then retrieve it later. Others should not be able to access the password... ** . as it stands now the contract does not cater for multiple users.

Vulnerability Details

The smart contract can only store one password in the global variable s_password . This password will be the one set by the last user to call setPassword() so it will not serve the intended purpose. also after setting the password only the deployer of the contract is allowed to retrieve it because there is access control built into the getPassword() function.

Impact

Contract will not work for multiple users.

Tools Used

Manual code review

Recommendations

Passwords can be stored in a mapping where the keys are the users’ addresses and the values are the hashed passwords. Passwords should be hashed off-chain using keccak256, a one-way function. This means that given the hash of a password, it’s impossible to compute the actual plaintext password that was used to generate the hash. Only the hash of the password should be stored on-chain because the plaintext password can easily be decoded from the calldata in the transaction used to set a user’s password. Validation of a user should be done by comparing the hash of the stored password with the hash of the password sent by a user trying to access functionality that requires the password. This validation should be done off-chain because an attacker can decode the calldata and see the password

here is any example of how this can be achieved.
`
contract PasswordStore {
error PasswordStore__NotOwner();

// Mapping from address to password hash
mapping(address => bytes32) private s_passwordHashes;

event SetNewPassword(address indexed user);

/*
 * @notice This function allows user to set a new password.
 * @param newPasswordHash The new password hash to set.
 */
function setPassword(bytes32 newPasswordHash) external {
    s_passwordHashes[msg.sender] = newPasswordHash;
    emit SetNewPassword(msg.sender);
}

/*
 * @notice This allows user to retrieve only thier password.
 */
function getPassword() external view returns (bytes32) {
    bytes32 userPasswordHash = s_passwordHashes[msg.sender];
    require(userPasswordHash != 0, "No password set for user");
    return userPasswordHash;
}

} `

Updates

Lead Judging Commences

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

crypt0mate Submitter

almost 2 years ago

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.