First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

saving password not encrypted is not safe

rapstyle

Summary

The blockchain is public and accessible to anyone, and it is not safe to save the password in clear text, without any type of encryption.

Vulnerability Details

The function PasswordStore::setPassword saves the password without encryption.

function setPassword(string memory newPassword) external {
@> s_password = newPassword;
emit SetNetPassword();
}

With this test I can read the storage slot 1 and get the password.

function test_read_saved_password_from_storage() public {
vm.startPrank(owner);
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
// Read variable `s_password` from storage
bytes32 slot0 = vm.load(address(passwordStore), bytes32(uint256(1)));
console.logBytes32(slot0);
// It returns "0x6d794e657750617373776f72640000000000000000000000000000000000001a"
// Converted from bytes32 to string is "myNewPassword"
}

Impact

The impact is medium, because by not encrypting the password there is a security problem in case of reading the data via the storage slot.
I didn't set high impact because it's not clear from the specifications whether data encryption was needed or not.

Tools Used

  • Manual check

  • Foundry

Recommendations

Performing on-chain encryption is difficult. It is recommended to send the password already encrypted with possible salt or off-chain encryption methods.

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.