Submission Details
Severity:
Bypassable access control in `#[view] get_secret`
Root + Impact
Description
get_secretchecksassert!(caller == @owner, NOT_OWNER), butcalleris a user-supplied parameter. Any caller can pass@ownerand satisfy the assertion.
// secret_vault.move
#[view]
public fun get_secret(caller: address): String acquires Vault {
@> assert!(caller == @owner, NOT_OWNER); // user-controlled parameter
let vault = borrow_global<Vault>(@owner);
@> vault.secret
}
Risk
Likelihood:
Whenever
get_secretis callable, any external user can passcaller = @ownerand bypass the check.
Impact:
Secret is exposed to any user.
Proof of Concept
// Pseudo-call via script or SDK:
let leaked = secret_vault::vault::get_secret(@owner);
// Works for any caller because `caller` is just an argument, not an authenticated signer.
Recommended Mitigation
- #[view]
- public fun get_secret(caller: address): String acquires Vault {
- assert!(caller == @owner, NOT_OWNER);
- let v = borrow_global<Vault>(@owner);
- v.secret
- }
+ // Do not implement plaintext getters. There is no way to enforce secrecy in a view.
Updates
Lead Judging Commences
bube 19 days ago
Submission Judgement Published Assigned finding tags:
Lack of signer check in `get_secret`
Rewards breakdown
nSLOC
30This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.