First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Password Encryption(loose) Missing

theirrationalone

Summary

Even though we sign the contract deployment(source code) using our private key, why not utilize ABI's encoding and decoding utilities? In my opinion, that would make reversing a smart contract's bytecode (Especially password) more difficult. We can't perform keccak256 hashing or any similar one-way hashing from SHA Family because it can't be reversed. Although we can use MD5 😅.

Vulnerability Details

function setPassword(string memory newPassword) external onlyOwner {
// s_password = newPassword; // Storing Password as a Plain text not a good practice ❌
// Kind of hashing(but can be reversed) === Encoding a Password Should be considered a good practice.
// I performed ABI Encoding below 👇. Sorry if you find it verbose.
s_password = abi.encode(newPassword);
// emit SetNetPassword(); // typo Net ❌, New ✅
emit SetNewPassword(); // typo fixed, New ✅
}

Impact

It would be an overhead for adversaries or attackers to decode a 2x encoded password. 2x encoding makes owner's password not to fit either into a dictionary or into a rainbow table.

Tools Used

Manually Hunted.

Recommendations

Use inbuilt ABI's Encoding & Decoding Utilities as i used or Implement MD5 or some similar encryption algorithmic utilities.

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.