Submission Details
Severity:
Not safety Private Data
Summary
In blockchain, storage is not private.
Vulnerability Details
string private s_password;
This storage slot is not safe as it is accessible on the blockchain.
function test_can_access_private_storage() public {
vm.startPrank(owner);
string memory expectedPassword = "myNewPassword";
passwordStore.setPassword(expectedPassword);
uint256 storageSlot = 1;
bytes32 slotVal = vm.load(address(passwordStore), bytes32(storageSlot));
assertEq(bytes32ToString(slotVal), expectedPassword);
}
function bytes32ToString(
bytes32 _bytes32
) internal pure returns (string memory) {
uint8 i = 0;
while (i < 32 && _bytes32[i] != 0) {
i++;
}
// uint256 len = _bytes32.length;
bytes memory bytesArray = new bytes(i);
for (i = 0; i < 32 && _bytes32[i] != 0; i++) {
bytesArray[i] = _bytes32[i];
}
return string(bytesArray);
}
Impact
Exposure of sensitive data such as passwords, leading to potential security breaches.
Tools Used
foundry test
Recommendations
Consider not using blockchain for storing passwords or any sensitive information.
Updates
Lead Judging Commences
inallhonesty
almost 2 years ago
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
nSLOC
20This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.