First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Data Compromisation as stored password is publicly visible.

0xKriLuv

Summary

The private state variable 's_password,' which is intended for storing the owner's password, can be read by anyone who has the contract address. This allows the owner's password to be accessed, potentially resulting in the loss of secret data that could be maliciously used to access the intended service.

Vulnerability Details

Suppose Alex, the owner of the contract, has set the password to 'oldPass123' at the deployed contract address as shown below using foundry.

DESKTOP-RESHO69:~/2023-10-PasswordStore$ cast send $Contract_Address "setPassword(string)" "oldPass123" --rpc-url $RPC_URL --private-key $PRIVATE_KEY

Eve, the attacker, can inspect the contract and discover that the private variable 's_password' is stored in slot 1 in EVM storage. She can then access the value stored in slot 1 for the given contract address, convert the returned hex value to a string, and reveal the password set by the owner, Alex.

DESKTOP-RESHO69:~/2023-10-PasswordStore$ cast storage $Contract_Address 1

0x6f6c645061737331323300000000000000000000000000000000000000000014

DESKTOP-RESHO69:~/2023-10-PasswordStore$ cast to-ascii "0x6f6c645061737331323300000000000000000000000000000000000000000014"

oldPass123

This way Eve can access the private data set by Alex and potentially misuse the password before Alex.

Impact

Sensitive data is publicly visible giving the attacker an opportunity to act maliciously.

Tools Used

Foundry

Recommendations

There are two remedies for this attack:

Sensitive data should not be stored on-chain or through a smart contract since the information is publicly available. Private data, such as passwords or keys, should be stored off-chain.
Sensitive data should be hashed or encrypted before sending it to the contract, and only the hash should be stored.Although hashes cannot be decrypted to reveal the original string. Solidity provides some hash functions that can be used: Keccak256 (SHA-3 by Ethereum), SHA256, and RIPEMD-160."0

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.