Secret Vault on Aptos
First Flight #46
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Hardcoded Address Authentication Bypass

putut7

Root + Impact

Description

scope

/sources/secret_vault.move

  • The contract uses an undefined hardcoded address @owner in access control mechanisms

  • This creates an authentication bypass vulnerability where the owner validation will fail

  • Any caller can potentially access restricted functions due to improper address resolution

Risk

  • Likelihood: High - The vulnerability is present in core authentication logic

  • Impact: Critical - Complete bypass of access controls, unauthorized secret access

Likelihood:

  • Reason 1: The @owner address is referenced but never properly defined in the contract

  • Reason 2: During compilation, this will either fail or resolve to an unexpected address

Impact:

  • Impact 1: Unauthorized users can potentially access or manipulate secrets

  • Impact 2: Complete failure of the authentication mechanism

Proof of Concept

// Current vulnerable code
assert!(caller == @owner, NOT_OWNER);
// @owner is undefined, causing compilation failure or unexpected behavior

Recommended Mitigation

// Remove this code
- assert!(caller == @owner, NOT_OWNER);
// Add this code
+ struct VaultConfig has key { owner: address }
+ public entry fun initialize(owner: &signer) {
+ let config = VaultConfig { owner: signer::address_of(owner) };
+ move_to(owner, config);
+ }
+ assert!(caller == borrow_global<VaultConfig>(@contract_address).owner, NOT_OWNER);
Updates

Lead Judging Commences

bube Lead Judge 19 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of signer check in `get_secret`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.