GalloDaSballo
commented
2 years ago Those are not PK, those are pseudorandom Storage Slots
Closed code423n4 closed 2 years ago
GalloDaSballo
commented
2 years ago Those are not PK, those are pseudorandom Storage Slots
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/lib/proxy/ERC1967Upgrade.sol#L21-L24
Vulnerability details
Impact
In smart contract have hardcoded private keys of already used wallets on mainnet of ethereum. If some users get them and import it on his wallet or sweeper bot can drain them if some of owners make any transfer to them Also is not good idea to save any private keys on smart contract because smart contracts can't call node, only nodes can call smart contracts. So its no sense to store it on smart contract.
Proof of Concept
Just import private key 4910fdfa16fed3260ed0e7147f7cc6da11a60208b5b9406d12a635614ffd9143 and 360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc on any wallet and you can make transfers from them.
Tools Used
Manual review
Recommended Mitigation Steps
Use brand new wallets private keys on github and never save private keys on smart contract code.