Unencrypted Private Data On-Chain on PasswordStore password
Summary
Ethereum smart contract code, storage, and any data transacted on-chain can always be read. Treat it as such. Even if your code is not verified , attackers can still decompile or check transactions to and from it to analyze it. For this reason, it's imperative that private data is never stored on-chain unencrypted.
Vulnerability Details
PasswordStore stores unencrypted password so an attacker (using a blockchain explorer or node) could query the variable storage storage slot to retrieve the password in hexadecimal format.
The vulnerability occurs due to the false assumption that if a variable is marked as private then no one could read it and because the password is stored in clear text
Proof of Concept
Add the following function in provided test file PasswordStore.t.sol:
Run the test with verbose option:
Observe the password is retrieved in hexadecimal format
Impact
Anyone could read the contract sensitive password
Tools Used
Manual analysis
Recommendations
Encrypt the password using EOA private key before storing to the blockchain
References
https://consensys.github.io/smart-contract-best-practices/development-recommendations/general/public-data
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.