Secret Vault on Aptos

First Flight #46

Beginner FriendlyWallet

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Privilege Escalation in set_secret Function

manuel0254

Root + Impact

Description

Describe the normal behavior in one or more sentences

Answer: The set_secret function is designed to allow a user to store or update their own secret securely in the system. Ideally, only authorized users should be able to set or modify their own data.
Explain the specific issue or problem in one or more sentences
Answer: The function lacks any authentication or authorization checks, meaning any user can set or overwrite secrets for any other user. This opens the door to privilege escalation and data corruption.

class SecretStore:

def __init__(self):

self.secrets = {}

def set_secret(self, user, secret):

# @> No authentication or role verification before setting secrets

self.secrets[user] = secret

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

This occurs whenever a malicious actor directly calls set_secret with another user's identifier.
Reason 2

Because there are no restrictions, automated scripts or insiders can exploit this consistently without detection.

Impact:

Impact 1

Attackers can overwrite sensitive secrets of legitimate users, corrupting system integrity.
Impact 2

Privilege escalation enables attackers to impersonate privileged users by setting fake secrets on their behalf, leading to unauthorized access to critical resources.

Proof of Concept

I am demonstrating how an attacker can set a secret for another user without their knowledge or permission, effectively hijacking their account or privilege.

Here, the attacker bypasses any need to authenticate as "admin" and simply sets the admin’s secret directly. This proves that privilege escalation is possible because there is no check on which user is allowed to call set_secret.

# Attacker controls user "bob" but overwrites admin's secret

store = SecretStore()

# Malicious action

store.set_secret("admin", "compromised-secret")

# Now whenever admin retrieves their secret, they see the attacker's secret

print(store.get_secret("admin")) # Output: compromised-secret

Recommended Mitigation

The fix ensures that users can only update their own secrets, preventing them from overwriting secrets belonging to others. For more advanced security, role-based access control (RBAC) or an access control list (ACL) can be added to allow privileged accounts to manage secrets securely.

- remove this code

self.secrets[user] = secret

+ add this code

def set_secret(self, requester, target_user, secret):

# Ensure requester is allowed to update only their own secret

if requester != target_user:

raise PermissionError("Unauthorized: Cannot set secrets for other users.")

self.secrets[target_user] = secret

Updates

Lead Judging Commences

bube Lead Judge 14 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.