[H-2]Clear Text Password Storage in PasswordStore
Summary
The PasswordStore contract is used to store a private password on-chain. Due to that, the password is exposed to anyone who reads the blockchain data.
Vulnerability Details
The setPassword function in the PasswordStore contract stores the password on the blockchain directly on the blockchain without any encryption or hashing. This meant that it is visible as a clear text and anyone could have access to it.
Proof of Concept:
Deploy the contract using Account1 as the owner.
Call the
setPasswordfunction and set a new password.Inspect the blockchain data and you should be able to read the saved password as clear text.
Impact
The impact is high and the likelihood is also high. The attackers could retrieve sensitive information as it is easily accessed due to the blockchain being public.
Tools Used
Manual Review
Recommendations
Sensitive data such as passwords are not recommended to be stored as clear text on the blockchain. Maybe consider using a hashing or off-chain encryption in order to protect the password.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.