Submission Details
Severity:
Insecure access to secret due to not using &signer for authentication
Root + Impact
Description
-
Uses unverified address instead of cryptographically verified &signer
-
Checks that the address matches the hardcoded @owner value instead of asserting the caller's rights
public fun get_secret(caller: address): String acquires Vault {
assert!(caller == @owner, NOT_OWNER); // Vulnerable check
let vault = borrow_global<Vault>(@owner); // Insecure access to data
vault.secret
}
Risk
Likelihood:
-
Any user can call a function with an arbitrary address.
-
Phishing interfaces can automate mass calls
Impact:
-
Disclosure of confidential data (secret) to any network users
-
Violation of the confidentiality of the owner of the secret
Proof of Concept
// The attacker knows the owner's address (@owner)
let victim_address: address = 0x123...;
// Calling a function with the victim's address
let secret = get_secret(victim_address);
// The secret data is now available to the attacker
debug::print(&secret);
Recommended Mitigation
Replace the vulnerable implementation with a secure version with
- public fun get_secret(caller: address): String acquires Vault {
- assert!(caller == @owner, NOT_OWNER);
- let vault = borrow_global<Vault>(@owner);
- vault.secret
- }
+ public fun get_secret(owner: &signer): String acquires Vault {
+ let owner_addr = signer::address_of(owner);
+ assert!(exists<Vault>(owner_addr), NOT_OWNER);
+ let vault = borrow_global<Vault>(owner_addr);
+ vault.secret
+ }
Updates
Lead Judging Commences
bube 16 days ago
Submission Judgement Published Assigned finding tags:
Lack of signer check in `get_secret`
Rewards breakdown
nSLOC
30This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.