Submission Details
Severity:
Anyone Can Get Onwer's Secret
Summary
The get_secret function only check if the passed address caller is the owner and returns the secret of the owner. The problem is it does not require the signer to be the owner, rather any signer of the transaction can get the owner's secret
PoC
Paste the following test in secret_vault.move and run aptos move test -f test_anyone_can_get_secret :
fun test_anyone_can_get_secret(owner: &signer) acquires Vault {
let secret = b"i'm a secret";
set_secret(owner, secret);
let owner_address = signer::address_of(owner);
// anyone can pass the address of owner to get his secret
let secret = get_secret(owner_address);
assert!(secret == string::utf8(b"i'm a secret"), 5);
}
Mitigation
Take a signer as parameter instead of just address:
- public fun get_secret (caller: address):String acquires Vault{
+ public fun get_secret (caller: &signer):String acquires Vault{
- assert! (caller == @owner,NOT_OWNER);
+ assert! (signer::address_of(caller) == @owner,NOT_OWNER);
let vault = borrow_global<Vault >(@owner);
vault.secret
}
Updates
Lead Judging Commences
bube 11 days ago
Submission Judgement Published Assigned finding tags:
Lack of signer check in `get_secret`
Rewards breakdown
nSLOC
30This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.