Smart Contract Security - Exploit: Public Data

Support

_Follow along with this video:_ --- ### Alright, one function down, one to go. Let's take a look at what's next. ```js /* * @notice This allows only the owner to retrieve the password. * @param newPassword The new password to set. */ function getPassword() external view returns (string memory) { if (msg.sender != s_owner) { revert PasswordStore__NotOwner(); } return s_password; } ``` Starting, starting as always with the `NatSpec` documentation, we see a couple things to note: - Only the owner should be able to retrieve the password (_your `access control` bells should be ringing_) - The function should take the parameter `newPassword`. We see a problem on the very next line. This function _doesn't take_ a parameter. Certainly informational, but let's make a note of it. ```js /* * @notice This allows only the owner to retrieve the password. // @Audit - parameter not used by function, NatSpec can be removed * @param newPassword The new password to set. */ ``` Let's take a look at the function itself. ::image{src='/security-section-3/10-exploit-public-data/public-data1.png' style='width: 100%; height: auto;'} The function looks great! Adhering to the required access control, we can be sure only the owner can call this function. So we're done, right? Web3 is secure! 🥳 ... Well, not exactly. There's another issue hidden in this contract and I want you to take a moment before continuing to try to find it. I'll give you a hint: `State Variables`. ... <details closed> <summary>The Vulnerability</summary> ::image{src='/security-section-3/10-exploit-public-data/public-data2.png' style='width: 100%; height: auto;'} We've uncovered a major flaw in the business logic of this protocol. It's best we make a note of this. ```js address private s_owner; // @Audit - s_password variable is not actually private! Everything on the blockchain is public, this is not a safe place to store your password. string private s_password; ``` </details> ### Wrap up If you're unsure how it's possible for someone to read this data, don't worry - we'll be writing a proof of code to show how it's done. This is something covered in our [**Foundry Course**](https://updraft.cyfrin.io/courses/advanced-foundry) however, consider a refresher if this is entirely new to you as we'll be building on these concepts later on.

Exploit: Public Data

Exploit Public Data - Private Variables Aren't Private! Explore this vulnerability in PasswordStore.

Solidity Developer

Smart Contract Security

Course Introduction

Duration: 25min

Section 1: Review

Duration: 1h 18min

Section 2: What is a smart contract audit

Duration: 35min

Section 3: Your First Audit | PasswordStore

Duration: 2h 28min

1. Your First Security Review

All the things we'll cover in this section! High-level info. Learn to conduct audits, prepare PDF reports, scope, reconnaissance, vulnerability identification & reporting. Duration: 5min

2. Scoping: Etherscan

Learn why test suites and deployment frameworks are important prerequisites in a security review/audit. REKT Test discussed as an evaluation tool. Duration: 6min

3. Scoping: Audit Details

Exploring the codebase, examining contracts in scope for audit, starting with PasswordStore.sol - simple, key concepts for Solidity & smart contract security. Duration: 13min

4. Scoping: cloc

CLOC demonstration - Measure nSLOC, estimate code base audit time. Duration: 3min

5. Recap I

Recap of smart contract scoping & review tips with Patrick. Focus on mature code bases, test suites, and documentations. Review onboarding form usage for engaging clients. Duration: 3min

6. "The Tincho"

Learn how the legendary Tincho approaches his audits in this overview of his systematic technique, brought to us by Tincho himself! Duration: 15min

7. Recon: Context

Starting in on PasswordStore using The Tincho! Read and understand context & docs, leveraging Solidity Metrics VS Code extension. Duration: 5min

8. Recon: Understanding the code

Demonstrates step-by-step approach, note-taking, communication with team. Gain understanding, identify vulnerabilities. Duration: 3min

9. Exploit: Access control

Missing Access Control - Vulnerability Discovered! Duration: 3min

10. Exploit: Public Data

Exploit Public Data - Private Variables Aren't Private! Explore this vulnerability in PasswordStore. Duration: 3min

11. Recap II

Patrick recaps the vulnerabilities found so far: No Owner Check, Erroneous Parameter, Unsafe Storage on Chain. Duration: 1min

12. Protocol Tests

Validating protocol tests and coverage, emphasizing thoroughness! Duration: 3min

13. Writing an amazing finding

Patrick explains reporting process. How to create a detailed report with Markdown. Discusses importance of issues & solutions. Duration: 4min

14. Writing an amazing finding: Title

Learn how to write better findings: focus on repetition, use clear titles with root causes & impact, example of effective title creation in a security report. Duration: 2min

15. Writing an amazing finding: Description

Writing a description for our report detailing all the necessary information about our discovered vulnerability. Duration: 4min

16. Writing an amazing finding: Proof of code

Writing a proof of code to indisputably prove the vulnerabilities we've found! Duration: 3min

17. Writing an amazing finding: Recommended Mitigation

Writing a great recommended mitigation for the issues found in PasswordStore! Duration: 2min

18. Finding Writeup

Recap finding write ups: Structured format, clear communication, specific details (code snippets). Duration: 2min

19. Access Control Writeup

Add missing access control in PasswordStore's set password function. Use code examples & tips on markdown formatting. Duration: 3min

20. Missing Access Controls Proof Of Code

Vulnerability proof: Write test case using the protocols test suite Duration: 5min

21. Finding Writeup Docs

Writing up our finding for incorrect NatSpec! Duration: 3min

22. Augmented Report With Ai

Using AI to improve our writing and grammar. Duration: 3min

23. Quick Primer On What We Are Learning Next

Audit data, severity ratings, PDF report creation. Instructions by Patrick on accomplishing tasks using tools & resources. Duration: 2min

24. Severity Rating Introduction

Learn how to determine severity ratings for findings in security reviews with the CodeHawks docs as a guide! Duration: 4min

25. Assessing Highs

Audit report severity evaluation using likelihood & impact methodology, demonstrated with examples & steps. Duration: 4min

26. Severity Rating Informational

Assessing informational severity as a potential issue, unlikely to disrupt code functionality. Duration: 3min

27. Timeboxing

In this video, Patrick discusses timeboxing in reviewing codebases & moving on when needed. Learn effective time management for security research. Duration: 2min

28. Making A Pdf

Generate a professional PDF report from a markdown file! Duration: 12min

29. Building Your Portfolio

Creating a GitHub public repo for storing smart contract audit and security journey in PDF format. Build that portfolio and get your name out there! Duration: 2min

30. Exercises

Celebrate progress, join CodeHawks! Rest & prep for bigger challenges ahead. Duration: 4min

31. Isolated Dev Environments

Duration: 12min

32. Recap & Congrats

Patrick recaps your first security review steps: onboarding, docs, scope, vulnerabilities, mitigation and reporting Duration: 9min

Section 4: Puppy raffle

Duration: 5h 03min

Section 5: TSwap

Duration: 5h 22min

Section 6: Thunder Loan

Duration: 4h 33min