SWC-registry icon indicating copy to clipboard operation
SWC-registry copied to clipboard

Published 20 hours ago verified publisher icon SmartContractSecurity

Weaknesses due to misconceptions about privacy of data on-chain

Open rschumi42 opened this issue 5 years ago • 3 comments

Is there already an SWC entry for the keeping secret vulnerability [1][2]? The issue occurs when a contracts, e.g., a multi-player game needs to store secret information, e.g., for the next move of a player, and it just stores this information in a private field. However, for writing the field there needs to be a transaction, which makes the value public and a player might get an advantage because of this.

If there is no related entry may I just write one?

[1] Atzei, Nicola, Massimo Bartoletti, and Tiziana Cimoli. "A survey of attacks on Ethereum smart contracts." IACR Cryptology ePrint Archive 2016 (2016): 1007. [2] https://medium.com/solidified/keeping-secrets-on-ethereum-5b556c3bb1ee

rschumi42 avatar Aug 18 '19 19:08 rschumi42

@b-mueller @thec00n what do you think about this? It's the same as this BP recco.

It's inherently subjective, and depends on the developers intent, but it's definitely a plausible weakness.

maurelian avatar Dec 06 '19 19:12 maurelian

Absolutely it's not covered currently. PRs are welcome :)

thec00n avatar Dec 09 '19 10:12 thec00n

https://github.com/SmartContractSecurity/SWC-registry/pull/237

kadenzipfel avatar Jan 09 '20 17:01 kadenzipfel