Secret Vault on Aptos
First Flight #46
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Anyone can set their own secret.

prongsdev125

No Access Control for set_secret - Anyone can set their secret.

Description

  • Only the owner can set the secrets

  • But there is no access control, so anyone can set the secrets

public entry fun set_secret(caller:&signer,secret:vector<u8>){
@> //Need access control
let secret_vault = Vault{secret: string::utf8(secret)};
move_to(caller,secret_vault);
event::emit(SetNewSecret {});
}

Risk

Likelihood:

  • When users set the secrets, it always happens.

Impact:

  • Anybody can set their secrets.

Proof of Concept

#[test(user = @0x123)]
fun test_anyone_set_secret(user: &signer) acquires Vault{
use aptos_framework::account;
// Set up test environment
account::create_account_for_test(signer::address_of(user));
// Create a new secret for the user
let secret = b"i'm a secret";
set_secret(user,secret);
// Get the owner address
let user_address = signer::address_of(user);
// Verify the secret was added
let valut = borrow_global<Vault>(user_address);
assert!(valut.secret == string::utf8(secret), 4);
debug::print(&string::utf8(b"Anyone can set secret!"));
}

Recommended Mitigation

Add the access control for set_secret.
Option 1. Add direct check if caller is an owner.

Option 2. Add a modifier named onlyOwner and use it.

public entry fun set_secret(caller:&signer,secret:vector<u8>){
+ assert!(signer::address_of(caller) == @owner, NOT_OWNER);
let secret_vault = Vault{secret: string::utf8(secret)};
move_to(caller,secret_vault);
event::emit(SetNewSecret {});
}
Updates

Lead Judging Commences

bube Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Anyone can call `set_secret` function

In Move for Aptos, the term "owner" refers to a signer, which is a verified account that owns a given resource, has permission to add resources and the ability to grant access or modify digital assets. Following this logic in this contest, the owner is the account that owns `Vault`. This means that anyone has right to call `set_secret` and then to own the `Vault` and to retrieve the secret from the `Vault` in `get_secret` function. Therefore, this group is invalid, because the expected behavior is anyone to call the `set_secret` function.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.