First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Password Exposure through setPassword Function Transaction Data

luiscfaria

Summary

The setPassword function in the smart contract exposes the password to public visibility on the blockchain. Whenever this function is called, the transaction data, including the password, is stored on the blockchain and can be viewed and decoded by anyone using tools like Etherscan.

Vulnerability Details

The vulnerability exists in the setPassword function of the PasswordStore contract. When this function is invoked, the newPassword argument value is stored on the blockchain as input data of the transaction. Since the blockchain is a public ledger, anyone can view this transaction data using blockchain explorers like Etherscan or Foundry's cast commands. Furthermore, the input data can be easily decoded to reveal the password, which compromises the privacy and security of the password.

Impact

This vulnerability has a High impact the exposure of the password poses a direct threat to the main functionality of the protocol, which is to securely store and retrieve passwords. The ease of exploitation—where anyone can view and decode the transaction data to obtain the password—further underscores the severity of this vulnerability.

Impact on the protocol: The protocol's main functionality of securely storing and retrieving passwords is directly compromised.
Likelihood of exploitation: The exploitation is highly likely as it requires no special conditions—anyone can view and decode the transaction data on the blockchain.

Tools Used

Etherscan: For viewing and analyzing blockchain transactions.

Recommended Mitigation

To mitigate this vulnerability, it is recommended to:

Avoid Storing Passwords on-chain: It's a bad practice to store sensitive data like passwords on the blockchain. Consider alternative methods of authentication and authorization.
Use Hashing: If it's essential to verify a password on-chain, consider storing a hash of the password instead of the plain text password. This way, even if the hash is visible, it won't reveal the actual password.
Use Off-chain Solutions: Consider using off-chain solutions for storing and verifying passwords, which would keep sensitive data off the public blockchain.
Implement Access Control: Ensure that only authorized users can call sensitive functions, reducing the chances of malicious exploitation.

Updates

Lead Judging Commences

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.