Secret Vault
First Flight #46
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Anyone Can Set Secret

i_atiq

Summary

According to project description-Only the owner should be able to store a secret. But anyone can call set_secret to store a secret. This violates the intended design

PoC

Paste the following test in secret_vault.move and run aptos move test -f test_anyone_can_store_secret:

#[test(user=@0x12345)]
fun test_anyone_can_store_secret(user: &signer) {
let secret = b"secret";
set_secret(user, secret);
}

Mitigation

Add the following line to the set_secret function

public entry fun set_secret(caller:&signer,secret:vector<u8>){
let secret_vault = Vault{secret: string::utf8(secret)};
+ assert!(signer::address_of(caller) == @owner,NOT_OWNER);
move_to(caller,secret_vault);
event::emit(SetNewSecret {});
}
Updates

Lead Judging Commences

bube Lead Judge 11 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Anyone can call `set_secret` function

In Move for Aptos, the term "owner" refers to a signer, which is a verified account that owns a given resource, has permission to add resources and the ability to grant access or modify digital assets. Following this logic in this contest, the owner is the account that owns `Vault`. This means that anyone has right to call `set_secret` and then to own the `Vault` and to retrieve the secret from the `Vault` in `get_secret` function. Therefore, this group is invalid, because the expected behavior is anyone to call the `set_secret` function.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.