Secret Vault on Aptos

First Flight #46

Beginner FriendlyWallet

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

SecretVault - Blockchain Data Transparency Exposes All Stored Secrets Publicly

0xrektified

Description

The SecretVault contract stores secrets as plaintext in blockchain resources, making them publicly visible to anyone who can query the blockchain. Despite the contract's intended purpose of providing "secret" storage, all data stored on-chain is inherently transparent and accessible through blockchain explorers, CLI tools, and API queries. This completely defeats the purpose of a "secret" vault.

Root Cause

The fundamental issue is storing sensitive data directly on a public blockchain without encryption. The Move resource system stores all data transparently in global storage, accessible through standard blockchain queries.

struct Vault has key {

secret: String

}

public fun set_secret(caller:&signer,secret:vector<u8>){

let secret_vault = Vault{secret: string::utf8(secret)}; // @audit-issue: plaintext storage

move_to(caller,secret_vault);

event::emit(SetNewSecret {});

}

Key issues:

Secrets stored as plaintext in blockchain resources
All blockchain data is publicly queryable by design
No encryption or obfuscation mechanisms implemented

Risk

Likelihood: High - Any user can trivially query blockchain data using standard tools

Impact: High - Complete exposure of all "secret" data to the public

Impact

High severity because:

Completely violates the confidentiality guarantee promised by a "secret" vault
All stored secrets are permanently exposed on the public blockchain
Defeats the entire purpose and value proposition of the application

Proof of Concept

Complete reproduction steps showing how anyone can access stored secrets:

Step 1: Initialize account and publish contract

# Initialize account on devnet

aptos init --network devnet

# Publish the contract

aptos move publish --named-addresses owner=f2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85,secret_vault=f2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85

Step 2: Create and execute script to set secret

Create scripts/set_secret.move:

script {

use std::signer;

fun main(account: &signer) {

use secret_vault::vault;

vault::set_secret(account, b"my_super_secret_password_123");

}

# First compile the script with both named addresses

aptos move compile-script --named-addresses owner=f2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85,secret_vault=f2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85

# Then run the compiled script

# Note: This will fail if Vault resource already exists due to move_to limitation

aptos move run-script --compiled-script-path ./script.mv --assume-yes

# For fresh demonstration, use a new account or the script from your earlier successful run

Step 3: Verify secret exposure in multiple locations

The secret is exposed in multiple ways:

A) Account resources

# Anyone with CLI access can view the secret by querying account resources

aptos account list --account f2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85

Result: Secret exposed in stored resource

{

"Result": [

{

"0xf2def06af10906e4da78ce8c7ab8a4b222e97dfe54af0bb0ab5f7e1a48379e85::vault::Vault": {

"secret": "my_super_secret_password_123" // @audit: Completely exposed!

}

]

}

B) Transaction history and bytecode

# View transaction details on blockchain explorer or via API

curl "https://fullnode.devnet.aptoslabs.com/v1/transactions/by_hash/0xaa0ab871ffea1a3b35fd4197df58f5ee223ef0e451f41d8d10bfdff44b61cf04"

The transaction payload contains the script bytecode with the secret embedded in plaintext:

6d795f73757065725f7365637265745f70617373776f72645f313233

When decoded from hex: my_super_secret_password_123

Anyone can view this in the blockchain explorer or by querying the transaction data directly.

The secret is permanently visible in:

Transaction payload/bytecode - embedded in the script and accessible via blockchain explorer
Account resources - stored in the Vault resource

Recommended Mitigation

Primary Recommendation: Do not store secrets on blockchain

The fundamental issue is that public blockchains are inherently transparent.

Zero-knowledge proofs: Use ZK systems to verify secret knowledge without revealing the secret
Commitment schemes: Store only cryptographic commitments for later verification

Updates

Lead Judging Commences

bube Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Anyone can see the `secret` on chain

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!