First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Password can be examined through block explorers

serialcoder

Summary

Anyone can examine the password through the transaction's calldata using a block explorer like Etherscan.

Vulnerability Details

Setting the password through the setPassword() using the newPassword parameter is not private. Anyone can inspect the password via the transaction's calldata.

Specifically, the transaction's calldata will be stored and processed publicly on EVM nodes enabling anyone to inspect the data. The easiest way to examine the password is using a block explorer like Etherscan.

@> function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}

https://github.com/Cyfrin/2023-10-PasswordStore/blob/856ed94bfcf1031bf9d13514cb21b591d88ed323/src/PasswordStore.sol#L26

Impact

The password can be inspected quickly by examining the transaction's calldata through a block explorer like Etherscan.

Tools Used

Manual Review

Recommendations

Sensitive data like passwords should not be processed or stored on a public blockchain.

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.