Secret Vault on Aptos

First Flight #46

Beginner FriendlyWallet

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Undefined @owner Named Address Prevents Contract Compilation

shieldrey

Root + Impact

Description

The protocol should allow each user to store and retrieve their own secret securely as independent owners. However, the get_secret function references an undefined named address @owner which will cause compilation failure when the contract is built for deployment, making the entire contract non-functional and preventing any user from accessing the secret storage functionality.

// Root cause in the codebase with @> marks to highlight the relevant section

public fun get_secret(caller: address): String acquires Vault {

//> @audit @owner is referenced but defined as "_" in Move.toml, causing compilation issues

assert!(caller == @owner, NOT_OWNER);

let vault = borrow_global<Vault>(@owner);

vault.secret

}

Risk

Likelihood:

The Move compiler will immediately fail when encountering the undefined @owner reference during the build process for mainnet deployment
Contract cannot be deployed to any blockchain network until a concrete address replaces the placeholder "_" value
Every deployment attempt will result in compilation errors until this fundamental configuration issue is resolved

Impact:

Contract is completely non-functional due to compilation failure, blocking all secret storage and retrieval functionality
No user can store or retrieve any secrets until this fundamental infrastructure issue is resolved
Development and deployment pipeline completely blocked, preventing the protocol from launching
Protocol cannot fulfill its core value proposition of secure secret storage

Proof of Concept

// Attempting to compile this contract will result in:

// error[E04003]: unbound named address

// --> sources/vault.move:31:29

// |

// 31 | assert!(caller == @owner, NOT_OWNER);

// | ^^^^^^ Unbound named address 'owner'

// Current Move.toml configuration:

// [addresses]

// owner = "_" // Placeholder value causes compilation failure

Recommended Mitigation

- remove this code

+ add this code

// Option 1: Remove the hardcoded @owner concept entirely for true multi-user functionality

public fun get_secret(caller: address): String acquires Vault {

- assert!(caller == @owner, NOT_OWNER);

- let vault = borrow_global<Vault>(@owner);

+ // Each user retrieves their own secret stored at their address

+ let vault = borrow_global<Vault>(caller);

vault.secret

}

// Option 2: If single owner is intended, define a concrete address in Move.toml

// [addresses]

- owner = "_"

+ owner = "0xspecific_owner_address"

Updates

Lead Judging Commences

bube Lead Judge 15 days ago

Submission Judgement Published

Validated

Assigned finding tags:

The protocol doesn't work as intended

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.