Submission Details
Severity:
s_password set to private but it can still be accessed
Summary
Variables set to private in solidity can still be accessed and read by anyone.
Vulnerability Details
Private variables are not actually private, everything on the blockchain is public and can be read by anyone.
Impact
If a malicious user was to access the password, they could do anything they want with it.
Tools Used
Found the vulnerability doing a manual review, tested it using foundry
// get the password, which is stored in storage slot 1
bytes32 password = vm.load(address(passwordStore), bytes32(uint256(1)));
Recommendations
You could hash the password
- string private s_password;
+ bytes32 private s_passwordHash;
- s_password = newPassword;
+ s_passwordHash = keccak256(abi.encodePacked(newPassword));
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.