Secret Vault on Aptos

First Flight #46

Beginner FriendlyWallet

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Access Control bypass in get_secret

hackerjedi2812

Root + Impact

Description

Normally, only the designated owner account should be able to retrieve the secret from the vault by signing a transaction with their private key.
In the current implementation, the get_secret function accepts an address parameter from user input rather than validating the actual transaction signer. This allows any account to call the function and supply the owner's public address as an argument, completely bypassing the intended access control mechanism.

public fun get_secret(caller: address): String acquires Vault {
@> assert!(caller == @owner, NOT_OWNER); // Trusts user-supplied address
let vault = borrow_global<Vault>(@owner);
vault.secret
}

Risk

Likelihood:

Any external account can call get_secret and simply provide the owner's public address as the caller parameter.
The owner's address is publicly visible on-chain, making it trivial for attackers to obtain and use.
No cryptographic verification of transaction signer occurs, making exploitation guaranteed.

Impact:

Complete breach of confidentiality: anyone can read the supposedly protected secret.
Undermines the entire security model of the vault system.
Makes the access control mechanism completely ineffective.

Proof of Concept

// Attacker calls the function from their own account

// but supplies the owner's address as parameter

let stolen_secret = get_secret(@owner);

// Returns the secret even though attacker is not the owner

// No verification that the attacker actually controls @owner account

Recommended Mitigation

- public fun get_secret(caller: address): String acquires Vault {

- assert!(caller == @owner, NOT_OWNER);

+ public fun get_secret(s: &signer): String acquires Vault {

+ assert!(signer::address_of(s) == @owner, NOT_OWNER);

let vault = borrow_global<Vault>(@owner);

vault.secret

}

Updates

Lead Judging Commences

bube Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Lack of signer check in `get_secret`

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!