Secret Vault
First Flight #46
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

Anyone can set their own secret using `secret_vault::set_secret` partially breaking invariant

duma999

[L] Anyone can set their own secret using secret_vault::set_secret partially breaking invariant

Description

The secret_vault::set_secret function is build as follow

public entry fun set_secret(caller:&signer,secret:vector<u8>){
let secret_vault = Vault{secret: string::utf8(secret)};
move_to(caller,secret_vault);
event::emit(SetNewSecret {});
}

Anyone can set their own secret in the vault, partially breaking an invariant : Only the owner should be able to store a secret and then retrieve it later.

Risk

Anybody can set their own secret but can't retrieves them, their access to the vault isn't necessary because they are not suppose to.

Proof of Concept

Add the following code in the secret_vault.move file :

#[test(user = @0x123)]
fun test_user_set_secret(user: &signer) acquires Vault {
//create a secret by a normal user
let secret = b"i'm a secret";
set_secret(user,secret);
//get user address
let user_address = signer::address_of(user);
//verify the secret was added
let value = borrow_global<Vault>(user_address);
assert!(value.secret == string::utf8(secret), 4);
debug::print(&b"All tests passed!");
}

Recommended Mitigation

You can remove the access to the vault entirely to others users, add the following line :

public entry fun set_secret(caller:&signer,secret:vector<u8>){
+ assert! (signer::address_of(caller) == @owner, NOT_OWNER);
let secret_vault = Vault{secret: string::utf8(secret)};
move_to(caller,secret_vault);
event::emit(SetNewSecret {});
}
Updates

Lead Judging Commences

bube Lead Judge 13 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Anyone can call `set_secret` function

In Move for Aptos, the term "owner" refers to a signer, which is a verified account that owns a given resource, has permission to add resources and the ability to grant access or modify digital assets. Following this logic in this contest, the owner is the account that owns `Vault`. This means that anyone has right to call `set_secret` and then to own the `Vault` and to retrieve the secret from the `Vault` in `get_secret` function. Therefore, this group is invalid, because the expected behavior is anyone to call the `set_secret` function.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.