Deployment script comments leak all private inputs, breaking ZK privacy guarantees

Description

The TreasureHunt system relies on ZK proofs so that participants can prove they found a treasure without revealing its secret value. The security of the entire protocol depends on the treasure secrets remaining unknown to the public.

However, the deployment script Deploy.s.sol contains all 10 treasure secrets in a plaintext comment. This file is committed to the repository, making the private inputs visible to anyone with repository access.

An attacker can read the secrets, compute valid ZK proofs for every treasure, and drain the full 100 ETH contract balance without ever participating in the hunt.

Risk

Likelihood: High

The secrets are stored in a source file that is tracked by git. Every contributor, CI system, and anyone with read access to the repository sees them in plaintext.

Impact: High

An attacker generates valid proofs for all 10 treasures using the leaked secrets and the publicly known hashes, then calls claim 10 times to drain the entire 100 ETH balance.

Proof of Concept

1. Attacker clones or views the repository

2. Reads in Deploy.s.sol that the secrets are 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

3. Reads all corresponding treasure hashes

4. For each secret/hash pair, generates a valid Noir ZK proof off-chain using nargo prove

5. Submits 10 claim transactions, each collecting 10 ETH

6. Contract is fully drained

Recommended Mitigation

Remove all secret values from source control. Treasure secrets should be stored in a secure, off-chain secrets manager and never be committed to the repository. Additionally, since these secrets are now compromised in git history, they must be rotated with high-entropy secrets, as git log preserves the old values.