Secret Vault on Aptos
First Flight #46
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Broken Access Control in get_secret

kjcao

Root + Impact

Description

  • The get_secret function is designed to restrict access by verifying that the caller is the vault owner.

  • The function incorrectly uses the address type instead of &signer, enabling any caller to set the parameter to the owner address, bypassing the access control.

#[view]
@> public fun get_secret (caller: address):String acquires Vault{
@> assert! (caller == @owner,NOT_OWNER);
let vault = borrow_global<Vault >(@owner);
vault.secret
}

Risk

Likelihood:

  • Anybody can call this function and pass the owner's address as the caller parameter

Impact:

  • Bypass of intended access control mechanism

Proof of Concept

#[test(owner = @owner, user = @0x1234)]
fun test_get_secret_bypass(owner: &signer, user: &signer) acquires Vault {
use aptos_framework::account;
// Set up test environment
account::create_account_for_test(signer::address_of(owner));
account::create_account_for_test(signer::address_of(user));
// The owner stores a secret
let secret = b"i'm a secret";
set_secret(owner, secret);
// Address of owner, so anyone can access.
let owner_address = signer::address_of(owner);
// Anyone can get_secret, only with owner address!
assert!(get_secret(owner_address) == string::utf8(secret), 1);
}

Recommended Mitigation

There is no mitigation. All data on the blockchain is public, so there is no point in access control for a view function. One can consider removing the function altogether.

Updates

Lead Judging Commences

bube Lead Judge 18 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of signer check in `get_secret`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.