Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Private variable storage does not secure the password on the blockchain and anybody will be able to read it.

Summary

Saving the password in a private variable will not stop others from reading the password as everything on blockchain is public.

Vulnerability Details

Data stored on a public blockchain is visible to everyone, even if it's stored in a private variable. Private variables do not have a default public interface for reading, but they can still be accessed using tools like Foundry's cast storage.

I will use Foundry's cast storage to illustrate how anybody can read s_password private variable on Anvil.

Use the following script and command to deploy the contract on Anvil and set the password.

// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.18;
import {Script, console2} from "forge-std/Script.sol";
import {PasswordStore} from "../src/PasswordStore.sol";
contract DeployPasswordStore is Script {
function run() public returns (PasswordStore) {
vm.startBroadcast();
PasswordStore passwordStore = new PasswordStore();
passwordStore.setPassword("myPassword");
vm.stopBroadcast();
return passwordStore;
}
}

Deploy Command:

forge script script/DeployPasswordStore.s.sol --rpc-url http://127.0.0.1:8545 --private-key 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80 --broadcast

Note: I'm using one of Anvil account's private key with fake eth hence not exposing any private key with real funds.

Now copy the deployed contract address, in my case its 0x5FbDB2315678afecb367f032d93F642f64180aa3 and use the following command to access the raw value of s_password variable which is stored at slot 1.

cast storage 0x5FbDB2315678afecb367f032d93F642f64180aa3 1 --rpc-url http://127.0.0.1:8545

You will get the following raw value 0x6d7950617373776f726400000000000000000000000000000000000000000014

Now use the following command to convert it into plain text.

cast to-ascii "0x6d7950617373776f726400000000000000000000000000000000000000000014"

It will result in myPassword which we stored in s_password variable while deploying our script.

Impact

Anybody can read the password.

Tools Used

Manual analysis.

Recommendations

It is recommended not to store sensitive information like passwords on the blockchain, but if you still want to then encrypt the password before storing it on the blockchain.

Updates

Lead Judging Commences

inallhonesty Lead Judge
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.