First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Spoofing a fake sender to get the password

serialcoder

Summary

The authorization scheme used in the getPassword() can be bypassed by spoofing a fake sender.

Vulnerability Details

The use of msg.sender as an authorization scheme in a view function like in the getPassword() can be spoofed. Anyone can set a fake sender in a call request to bypass this protection since a signature is not verified in a call request.

function getPassword() external view returns (string memory) {
@> if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
return s_password;
}

https://github.com/Cyfrin/2023-10-PasswordStore/blob/856ed94bfcf1031bf9d13514cb21b591d88ed323/src/PasswordStore.sol#L36

Impact

An attacker can spoof the msg.sender as the legitimate owner to get the password from the getPassword().

Tools Used

Manual Review

Recommendations

There is no way to fully ensure the legitimacy of the caller of a view function.

Moreover, if the purpose is to 'hide' the sensitive content of the s_password variable, that would not work since several techniques exist to extract them. In other words, sensitive data like passwords should not be processed or stored on a public blockchain.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.