Sensitive data is stored in a test file that is linked to in-scope StructData.sol
Summary
A private key is hardcoded indirectly via the StructData.sol contract in the MockData.sol test file, which an attacker can easily extract and use to take full control of the associated wallet. This exposure allows the attacker to drain all funds or execute arbitrary transactions from that wallet on the protocol’s behalf. This is due to the private address being lodged in test data.
Vulnerability Details
In MockData.sol:43, the private key is stored in the comments.
Extract the key: The attacker fetches the private key from the
Githubfile.Import into wallet: Using the stolen key, the attacker imports it into a wallet or scripting environment (e.g. via web3/ethers libraries) to assume control of the corresponding address.
Take over funds: Now acting as the wallet owner, the attacker can transfer out all funds or perform any transactions from the Domain’s address (since they possess the wallet’s private key credentials).
Impact
The protocol (and its users) would suffer a total loss of all funds held by the affected Domain wallet. An attacker with the private key can instantly transfer out or reallocate the assets, in known incidents, wallets have been drained within seconds of key exposure. Essentially, the attacker gains complete and irreversible control over the wallet and its funds.
Tools Used
Manual review.
Recommendations
Never store private keys or other secrets directly in smart contract code. Remove the comment.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.