First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

s_password is not hashed

ivaniuss

Summary

The PasswordStore::s_password variable is storing the password value being set in the PasswordStore::setPassword function without any kind of hashing. This allows any kind of user to read the slots of the smart contracts and read the variable value.

Vulnerability Details

When a user set a new password, the value of this password is being set into the PasswordStore::s_password variable which is being save in one of the slots of the storage. That means that any kind of user would have access to this value which is not good when it comes to sensitive information.

Impact

Access to the PasswordStore::s_password variable when reading the storage slots.

Tools Used

Foundry

Recommendations

Change the variable type from string to bytes32 since we are hashing the password to a bytes32 type.
Add hash conversion into the PasswordStore::setPassword function.

- string private s_password;
+ bytes32 private s_password;
function setPassword(string memory newPassword) external {
- s_password = newPassword;
+ s_password = keccak256(abi.encodePacked(newPassword));
emit SetNetPassword();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.