Ethernaut — Level 8— Vault
The challenge taught me one of the fundamental fact about blockchain. We all have been reading that the blockchain technology is very secure, transparent and cannot be tampered with. But imagine what if I store some sensitive information on the blockchain like a password or private keys.
Is the blockchain a good place to store such information. Lets find out !
Click here to access the source code
Investigation
We need to unlock the vault to complete the challenge!
So, there are two variables and a function defined in the challenge. If you don't already remember you can view publicly available items using “contract.abi”
As we can clearly see the private variable “password” is initialized when the contract is deployed. And at this point the only way to unlock the contract is passing the right password as the argument to the “unlock ”function.
The Solution
Remember blockchain are supposed to be transparent and public/private properties defined against variables and functions are with respect to who can access it at runtime. What I mean to say is that the password is basically stored somewhere on the blockchain and we can read it using the contract address and the slot number.
If you have like three variables defined, the blockchain uses slot system to store each variable irrespective of private/public property.
So varaible1 -> Slot 0, varaible2 -> Slot 1.
You get the point right.
Using the “getStorageAt” function by web3, one can easily read the contents of the of private variables by passing the correct slot number. The whole point of declaring the variable as private is to make it read-only and not allow anyone else to update it.
var pwd;
web3.eth.getStorageAt(contract.address, 1, function(err, result)
{ pwd = result })
web3.utils.toAscii(pwd) //gets the ascii value
contract.unlock(pwd)// pass the correct password
await contract.locked() // "false"To conclude, I just wanna say that they are numerous applications of blockchain but storing sensitive information is not one of them. You are maybe encrypt the value and store but using of chain storage methods is the best solution.
Thanks for Reading !
