Secret Vault on Aptos

First Flight #46

Beginner FriendlyWallet

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Secret Data Stored On-Chain Is Publicly Visible

yo4nn

Secret Data Stored On-Chain Is Publicly Visible

Description

Normally, smart contracts store sensitive data securely or use encryption/off-chain storage.
In this Move contract, when the set_secret function is called, the secret is stored directly in the Vault resource on-chain. Any data stored on-chain is visible to all participants of the blockchain, meaning anyone can read the secret by inspecting the chain state.

@>public entry fun set_secret(caller:&signer,secret:vector<u8>){

@>let secret_vault = Vault{secret: string::utf8(secret)};

@>move_to(caller,secret_vault);

event::emit(SetNewSecret {});

}

Risk

Likelihood: High

Any user with access to blockchain state can read the secret immediately after set_secret is called.
No additional permissions or access control can prevent this, since blockchain storage is inherently public.

Impact: High

Leakage of sensitive secrets stored in the contract.
Compromise of confidential information or business logic relying on the secrecy of these values.

Proof of Concept

Recommended Mitigation

It is recommended to avoid storing plaintext sensitive data on-chain. Secrets should be encrypted before being stored, or kept off-chain with access controlled by the contract.

- public entry fun set_secret(caller:&signer, secret:vector<u8>){

- let secret_vault = Vault{secret: string::utf8(secret)};

- move_to(caller, secret_vault);

- event::emit(SetNewSecret {});

- }

+ public entry fun set_secret(caller:&signer, secret:vector<u8>){

+ // Encrypt the secret before storing it on-chain

+ let encrypted_secret = crypto::encrypt(secret, owner_public_key);

+ let secret_vault = Vault{secret: encrypted_secret};

+ move_to(caller, secret_vault);

+ event::emit(SetNewSecret {});

+ }

Updates

Lead Judging Commences

bube Lead Judge 18 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Anyone can see the `secret` on chain

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.