Secret Vault on Aptos
First Flight #46
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

False access control stops users to retrieve there secrets

ksiddharth346

Description

  • The Secret Vault contract has a design flaw that makes it completely unusable. Users can store secrets but can never retrieve them.

  • The get_secret() function contains this check:

  • Caller can never be same as owner address

assert!(caller == @owner, NOT_OWNER)

Problem: Only the hardcoded @owner address can call this function

Risk

Likelihood:

  • HIGH

Impact:

  • Permanent data loss - stored secrets become inaccessible forever

  • Complete service breakdown - users can write but never read their data


Proof of Concept

  • USER FLOW

  • Regular users store secrets at their own addresses

  • Regular users are NOT the owner

  • The function always fails for legitimate users

Alice calls set_secret("my-password") SUCCESS
Alice calls get_secret() FAILS - "NOT_OWNER" error
Bob calls set_secret("bob-secret") SUCCESS
Bob calls get_secret() FAILS - "NOT_OWNER" error
Result: Secrets go in, secrets never come out.

Recommended Mitigation

  • Add these checks to correctly check and give access to the users

- assert!(caller == @owner, NOT_OWNER);
- let vault = borrow_global<Vault>(@owner);
+ assert!(exists<Vault>(caller), ERROR_NO_VAULT);
+ let vault = borrow_global<Vault>(caller);
Updates

Lead Judging Commences

bube Lead Judge 19 days ago
Submission Judgement Published
Validated
Assigned finding tags:

The protocol doesn't work as intended

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.