First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

EVM node's owner/runner can capture the password

serialcoder

Summary

The password can be captured by an owner/runner of the EVM node when the getPassword() is called.

Vulnerability Details

When the contract owner makes a call request to the getPassword(), the EVM node that processes the call request can easily capture the returned password, exposing the password to an owner/runner of the EVM node.

function getPassword() external view returns (string memory) {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
@> return s_password;
}

https://github.com/Cyfrin/2023-10-PasswordStore/blob/856ed94bfcf1031bf9d13514cb21b591d88ed323/src/PasswordStore.sol#L39

Impact

The password can be easily exposed to the owner/runner of the EVM node.

Tools Used

Manual Review

Recommendations

Sensitive data like passwords should not be processed or stored on a public blockchain.

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.