First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Compromised Password Integrity through Storage Slot Access

luiscfaria

Summary

The PasswordStore smart contract stores passwords in contract storage as a private variable. However, the privacy of this storage is compromised as the contents can be directly fetched and decoded from the storage slots using commands like cast storage and cast parse-bytes32-string.

Vulnerability Details

The vulnerability resides in the manner the PasswordStore contract stores the password in its storage. Despite s_password being declared as a private variable, the data stored in Ethereum's contract storage slots is accessible. By using specific commands, an adversary can fetch and decode the contents of the storage slots to reveal the stored password. The following commands demonstrate this exploit:

Example:

cast storage <contract-address> 1 --rpc-url <rpc-url>

0x7040737377307264000000000000000000000000000000000000000000000010 <--- output

cast parse-bytes32-string 0x7040737377307264000000000000000000000000000000000000000000000010

p@ssw0rd <---------- output

Impact

This vulnerability holds a High severity based on the provided severity evaluation criteria. The exposure of the password poses a direct threat to the main functionality of the protocol, which is to securely store and retrieve passwords. Additionally, the straightforward exploitation path further accentuates the severity of this vulnerability.

Impact on the protocol: The protocol's main functionality of securely storing and retrieving passwords is directly compromised.
Likelihood of exploitation: The exploitation is highly likely since it requires no special conditions - anyone with knowledge of the contract's address and the aforementioned commands can access and decode the stored password.

Tools Used

Foundry's cast command: For fetching the contents of storage slots and parsing the stored data.

Recommended Mitigation

Enhanced Access Control: Implementing strict access control mechanisms to restrict the reading of storage slots to authorized entities only.
Off-chain Storage: Consider off-chain solutions for storing sensitive data like passwords, keeping them off the public blockchain.
Encryption: If on-chain storage is necessary, consider encrypting sensitive data before storing it, ensuring only authorized parties with the decryption key can access the actual data.
Hashing: Store a hash of the password instead of the plaintext password, ensuring that even if the storage is accessed, the actual password remains concealed.

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.