Secret Vault on Aptos

First Flight #46

Beginner FriendlyWallet

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Sensitive Data Exposure — Secrets Stored in Plaintext On-Chain

seenu1947

Sensitive Data Exposure — Secrets Stored in Plaintext On-Chain

Description

Normally, applications that manage sensitive user information (like passwords, private keys, recovery phrases, or secrets) should never store them in plaintext on-chain, because blockchain data is fully transparent and immutable.
In this case, the function stores the secret directly into a Vault resource:

public entry fun set_secret(caller:&signer, secret: vector<u8>) {

let secret_vault = Vault { secret: string::utf8(secret) };

move_to(caller, secret_vault); // ❌ stores raw secret in global storage

event::emit(SetNewSecret {});

}

This means anyone with blockchain access (explorer, full node, archive node, or indexer) can read the stored secret.
Therefore, the “secret” is not private at all — the confidentiality promise of the contract is completely broken.

Risk

Likelihood:

Reason 1: This issue occurs every time a user sets a secret, since the value is always stored in plaintext.
Reason 2: It is guaranteed to manifest because blockchain storage is public by design.

Impact:

Impact 1: All user secrets are exposed publicly on-chain, resulting in a complete loss of confidentiality.
Impact 2: Sensitive data leakage may lead to account compromise, credential theft, or reputational damage to the dApp.

Proof of Concept

// Any observer can run:

let vault = borrow_global<Vault>(user_addr);

debug::print(&vault.secret); // ❌ Prints the secret in plaintext

Or simply query blockchain state via explorer / API to see the stored string.

Recommended Mitigation

Store only references or hashes or Store off-chain, keep only proof on-chain or Encrypt before storing

- let secret_vault = Vault{ secret: string::utf8(secret) };

+ let secret_vault = Vault{ secret: hash::sha3_256(secret) };

Updates

Lead Judging Commences

bube Lead Judge 16 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Anyone can see the `secret` on chain

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.