Closed code423n4 closed 1 year ago
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/packages/prepo-shared-contracts/contracts/AllowedMsgSenders.sol#L8
private variable can be read from attack solidity file.
Private variable on line 8: https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/packages/prepo-shared-contracts/contracts/AllowedMsgSenders.sol#L8
Screendump PoC: https://github.com/gbadebosmith/ouch/blob/main/ReadablePrivateData20221212.jpg
Attack PoC: https://github.com/gbadebosmith/ouch/blob/main/AttackAllowedMsgSenders.sol
Remix IDE
Is there any reason that users shouldn't know the allowed senders?
Picodes marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/packages/prepo-shared-contracts/contracts/AllowedMsgSenders.sol#L8
Vulnerability details
Impact
private variable can be read from attack solidity file.
Proof of Concept
Private variable on line 8: https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/packages/prepo-shared-contracts/contracts/AllowedMsgSenders.sol#L8
Screendump PoC: https://github.com/gbadebosmith/ouch/blob/main/ReadablePrivateData20221212.jpg
Attack PoC: https://github.com/gbadebosmith/ouch/blob/main/AttackAllowedMsgSenders.sol
Tools Used
Remix IDE
Recommended Mitigation Steps