First Flight #1: PasswordStore

First Flight #1

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`getPassword()` function can be monitored causing anyone to see the password

Nocturnus

Summary

It's possible to monitor getPassword() function from the blockchain nodes.

Vulnerability Details

When the getPassword() function is called, no change is done on the blockchain and thus it's not possible to monitor/catch the return value -in our case the password- from the blockchain. However it's possible to monitor it from the nodes.

Impact

After the contract is deployed and the initial password("myPassword") is set we can send below command to the contract:
cast call 0x5fbdb2315678afecb367f032d93f642f64180aa3 "getPassword()" --rpc-url http:127.0.0.1:8545 --private-key 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80

0x5fbdb2315678afecb367f032d93f642f64180aa3 is the contract address followed by the function we want to call. Anvil rpc-url and the private key which we used during the deployment of the contract. Although getPassword() is a getter function we have to provide the private-key. Otherwise it will be reverted due to the if statement which prevents to call the function anyone who is not the contract owner. Contract owner is set during the deployment with the help of constructor function.

Below is the value we receive as an output to our cast call command:

0x0000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000a6d7950617373776f726400000000000000000000000000000000000000000000

the third 32 bytes is the password encoded as hex: 6d7950617373776f726400000000000000000000000000000000000000000000

cast to-ascii 6d7950617373776f7264 command output will be the ascii value of the password as stored in our contract.
myPassword

Although getPassword() function can be called by only the owner and the return value will be seen by the owner of the contract, eth_call can be monitored on the Ethereum nodes.

Tools Used

Manual auditing
Foundry

Recommendations

Don't store passwords or any sensitive data on the blockchain. Limiting the usage of function calls to specific users will not hide the output of the function from anyone.

Updates

Lead Judging Commences

inallhonesty Lead Judge

almost 2 years ago

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.