Data Encryption and Leakage vulnerability
Summary
The contract currently involves setting and storing passwords without encryption.
Vulnerability Details
The primary vulnerability in the contract lies in the "setPassword" function. Initially, it utilized an "emit" statement to store passwords in the event logs, which is an impractical method for password storage. This approach makes password retrieval within the contract unattainable. Furthermore, the utilization of the event is flawed, as it does not associate passwords with users' addresses, as it does not accept any input. The recommended approach is to store passwords in the contract's memory, hashing them, rather than storing the actual password.
Impact
This vulnerability significantly affects the contract's functionality. Users are unable to set or retrieve their passwords from the contract. As per the current contract, setting a password is impossible, and any attempt to retrieve it results in an error for any user rather than the owner.
Tools Used
Foundry
Recommendations
The "setPassword" function should employ a suitable hash method to hash the password and store it within the contract, rather than storing it in the event transaction logs. The current approach poses a high risk of data leakage, as anyone with the account address could access the stored passwords.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.