Secret Vault on Aptos
First Flight #46
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Anyone can retrieve the owner secret via public APIs

merlinboii

Root + Impact

Description

  • The secret of the vault's owner is expected to be accessible only by the vault owner.

  • However, the on-chain resources can be accessed via APIs or off-chain tools.

public entry fun set_secret(caller:&signer,secret:vector<u8>){
let secret_vault = Vault{secret: string::utf8(secret)};
@> move_to(caller,secret_vault);
event::emit(SetNewSecret {});
}

Risk

Likelihood: High

  • This issue will occur any time after the owner sets the secret.

Impact: High

  • Anyone can access the owner's vault secret, which can be used for restricted function verification. This allows anyone to impersonate the owner and modify the vault as they wish.

  • This issue breaks a main invariant as it is expected that others should not be able to access the secret.

Proof of Concept

  • Aptos::Get account resources: https://aptos.dev/rest-api/operations/get_account_resources

  • Run the request with the following endpoint and specify the owner address as a query parameter:

/v1/accounts/{address}/resources

Recommended Mitigation

Secrets are stored publicly on-chain and can be accessed in this way or via APIs. It is recommended not to store any sensitive data, such as secrets, on-chain.

Updates

Lead Judging Commences

bube Lead Judge 18 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Anyone can see the `secret` on chain

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.