Access control not implemented in get_secret method
Root + Impact
Description
Summary
The get_secret function in the Secret Vault contract contains a critical access control vulnerability that allows anyone to retrieve any vault owner's secret by simply providing the owner's address as a parameter.
Vulnerability Details
Root Cause
The vulnerability exists in the get_secret function on line 28-33:
The Problem: The function accepts a caller: address parameter and checks if it equals @owner, but this parameter can be controlled by anyone calling the function. The actual transaction sender is never validated.
Expected Behavior
The function should verify that the actual transaction sender (using &signer) is the owner of the vault, not just check an arbitrary address parameter.
Actual Behavior
Anyone can call get_secret(@owner) and successfully retrieve the owner's secret, completely bypassing the intended access control.
Risk
Likelihood
High, any one can get the secret by just providing the owners address, which can be found from the block explorer
Impact
Exposure of secret data
Proof of Concept
N/A
Recommended Mitigation
Replace the vulnerable function with proper access control:
Key Changes:
Change parameter from
caller: addresstocaller: &signerExtract the actual caller's address using
signer::address_of(caller)Verify the actual transaction sender, not an arbitrary parameter
Lead Judging Commences
Lack of signer check in `get_secret`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.