Anyone can see `keyPair::privateKey`

[hats-bug-reporter[bot]]

Github username: @SB-Security Twitter username: SBSecurity_ Submission hash (on-chain): 0x5ba31db77afa68b50c84444343fa8b0838b248e096d57bc080f132f14560c72e Severity: low

Description: Description\ TEERollup::_keyPair is private but when deployed everyone can inspect and retrieve the private key.

Attack Scenario\ Users can inspect the storage of the TEERollup contract and retrieve the _keyPair::privateKey.

Attachments

1. Proof of Concept (PoC) File

abstract contract TEERollup {

    struct WitnessSignature {
        bytes publicKey;
        bytes signature;
    }

    struct ContractSigningKeyPair {
        bytes publicKey;
        bytes privateKey;
    }

    struct WitnessActivation {
        bytes publicKey;
        bool isActive;
    }

    ContractSigningKeyPair private _keyPair;

    mapping(bytes => bool) public witnessPublicKeysSet;
    uint8 public minWitnessSignatures;

    constructor() {
        _updateKeyPair();
    }

    function _updateKeyPair() internal {
        (bytes memory publicKey, bytes memory privateKey) = Sapphire.generateSigningKeyPair(
            Sapphire.SigningAlg.Secp256k1PrehashedKeccak256,
            Sapphire.randomBytes(32, abi.encodePacked(block.number, msg.sender))
        );

        _keyPair.publicKey = publicKey;
        _keyPair.privateKey = privateKey;
    }

1. Revised Code File (Optional)

[party-for-illuminati]

This is invalid. This contract is deployed on Oasis Sapphire which is handling state different