Secret Data is Publicly Readable
Root + Impact
Description
-
The contract is designed to store secrets in a Vault resource with access controlled through the
get_secretfunction, ensuring only the owner can access the secret. -
However, the secret is stored within the Vault resource and is directly readable from the blockchain. There is a fundamental misunderstanding about the nature of how the blockchain works, it's public.
Risk
Likelihood:
Any user can query the blockchain using standard Aptos REST API or CLI tools to access account resources
Impact:
The owner's secret stored using this contract becomes publicly visible to anyone.
Proof of Concept
Anyone can run aptos account list --account <owner account addr>
and get a result like this:
Recommended Mitigation
The owner can consider encrypting his secret off-chain and not relying on the security of get_secret
Lead Judging Commences
Anyone can see the `secret` on chain
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.