Submission Details
Severity:
Secret can be read by others/unauthorized parties
Description
only the owner should be able to retrieve the secret later, others should not be able to read the secret.
The secret: String is stored in plaintext on-chain. Full nodes / indexers can read raw state off-chain even if the module doesn’t expose a read function.
// move
struct Vault has key {
@> secret: String // plaintext on a public chain
}
Risk
Likelihood:
Always true on public chains; node operators/indexers can inspect state.
Impact:
The “secret” is not actually secret; privacy expectations are broken.
Proof of Concept
Observing raw state via an indexer / full node storage dump reveals the String bytes.
Recommended Mitigation
Consider making this changes
- struct Vault has key {
- secret: String }
+ // Store a commitment or ciphertext instead of plaintext:
+ struct Vault has key {
+ // e.g., a hash commitment (cannot retrieve original from hash)
+ secret_hash: vector<u8>
+ // OR an encrypted blob where the decryption key is held off-chain
+ // ciphertext: vector<u8>
+ }
Updates
Lead Judging Commences
bube 16 days ago
Submission Judgement Published Assigned finding tags:
Lack of signer check in `get_secret`
Rewards breakdown
nSLOC
30This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.