Root + Impact

Description

The contract intends to let an owner set and later reference a “secret” value tied to their account. The intuitive expectation is that this secret is private and only known to the owner (or to the contract when needed for checks).

The implementation stores the plaintext secret as a Move resource under the caller’s account. On Aptos, all on-chain resources are public: anyone can fetch a resource from an account via Aptos Explorer or a fullnode API. As a result, the “secret” is not secret at all and can be read by anyone monitoring the chain.

This can also be confirmed in Aptos' documentation.

Resources are stored within accounts. Resources can be located by searching within the owner’s account for the resource at its full query path inclusive of the account where it is stored as well as its address and module. Resources can be viewed on the Aptos Explorer by searching for the owning account or directly fetched from a fullnode’s API.

Risk

Likelihood: High

• Confidentiality breach: The owner’s secret is publicly readable. Any assumptions of privacy or secrecy are invalid.

Impact: High

• Immediate and continuous: As soon as set_secret is called and the transaction is finalized, the plaintext secret is visible to anyone who queries the owner’s account resources.

• No special conditions required: An attacker only needs the owner’s address (available from the transaction or public usage) to query the resource.

Recommended Mitigation

Never store plaintext secrets on-chain. Use one of the following patterns instead:

1. Commitment (hash) scheme

2. Client-side encryption

3. Off-chain storage