First Flight #1: PasswordStore
First Flight #1
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Private variables can be seen by anyone

Proxy

Summary

Everything that is inside a contract is visible to all observers external to the blockchain. Making variables private only prevents other contracts from reading or modifying the information, but it will still be visible to the whole world outside of the blockchain

Vulnerability Details

Proof Of Concept

Add the following test to the PasswordStore.t.sol test file. Run the test with forge t --mt test_AnyoneCanSeePassword -vv

function test_AnyoneCanSeePassword() public {
// get the bytes32 of the `s_password` storage variable at slot 1
bytes32 s_password = vm.load(address(passwordStore), bytes32(uint256(1)));
// convert the bytes32 to a string
string memory password = string(abi.encodePacked(s_password));
console.log(password); // OUTPUT: myPassword
}

We can also use web3.js function web3.eth.getStorageAt(address, position) or simply use etherscan to find out the password.

Impact

Everyone can see the password from the owner.

Tools Used

Foundry

Recommendations

Use a commit-reveal scheme to store the password

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 2 years ago
inallhonesty Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-anyone-can-read-storage

Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.