Secret Vault on Aptos

First Flight #46

Beginner FriendlyWallet

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

The `secret` is stored on the blockchain and therefore is never private

maroutis

Root + Impact

The module stores the secret as a String in a has key resource. However, this storage is public and can be access by anyone. Anyone can query APIs to read the secret bytes.

Description

According to the Readme, the “secret” should not be retrievable by unauthorized parties. But since the Vault has a key resource, it is stored on the global state of the blockchain. However, there are additional issues :

The get_secret function is supposed to be callable only by the owner of the Vault (which is set in the .toml). However, Anybody can call it by providing the owner's address.
Even if this function was correctly implemented, it wouldn't change the fact that the secret is retrievable from the blockchain anyways.

struct Vault has key { @> secret: String }

Risk

Public chain state is inspectable by anyone. Plus anyone can call the get_secret. The secret can thus be retrieved by anybody which is a huge risk to the owner.

Proof of Concept

#[test(owner = @0xcc)]

fun test_public_leak(owner: &signer) acquires Vault {

use aptos_framework::account;

// Set up test environment

account::create_account_for_test(signer::address_of(owner));

let secret = b"i'm a secret";

set_secret(owner, bytes);

// Anyone can call the view and pass the owner's address.

let leaked = get_secret(signer::address_of(owner));

assert!(leaked == string::utf8(secret), 9001);

// Can also retieve it directly

let owner_address = signer::address_of(owner);

let vault = borrow_global<Vault>(owner_address);

assert!(vault.secret == string::utf8(secret), 4);

debug::print(&b"All tests passed!");

}

Recommended Mitigation

Do NOT store any secret, passwords or sensitive data on the blockchain.
Also be careful when setting the control accesses for the function that are only supposed to be called by a specific address i.e get_secret.

Updates

Lead Judging Commences

bube Lead Judge 17 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Anyone can see the `secret` on chain

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.