First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

anyone can read password as no thing is private or hidden in Ethereum smart contract

0xaman

Summary

After a thorough review of the 'getPassword' function's code, it's apparent that a 'require' statement has been implemented to deter unauthorized access attempts, thereby ensuring that attackers are unable to access the password. However, it is crucial to acknowledge that within the Ethereum ecosystem, there is a recognized maxim that no attribute can be considered truly private in the realm of smart contracts.

Vulnerability Details

the function getPassword can not protect password . the password can be easily cracked via accessing the smart contract storage slot.

function getPassword() external view returns (string memory) {
@> if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
return s_password;
}

following command illustrate the hack.

cast storage 0x5FbDB2315678afecb367f032d93F642f64180aa3 1
// the password in hex can easily be convert in string
0x6d7950617373776f726400000000000000000000000000000000000000000014

Impact

The Password is not really private.

Tools Used

Cast, manual Review.

Recommendations

it is recommended to does not store any private info or data on-chain

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.