foundry icon indicating copy to clipboard operation
foundry copied to clipboard
verified publisher icon foundry-rs

Add `promptSecretUint`

Open ZeroEkkusu opened this issue 1 year ago • 2 comments

Component

Forge

Describe the feature you would like

Problem

The combination broadcast + promptSecret leaks the private key because it requires parseUint, which doesn't obfuscate the value.

Example

Mnemonic:

vm.broadcast(vm.deriveKey(vm.promptSecret("Mnemonic"), 0));
revert();

├─ [0] VM::promptSecret("Mnemonic")
│   └─ ← [Return] <secret>
├─ [0] VM::deriveKey(<pk>) [staticcall]
│   └─ ← [Return] <pk>
├─ [0] VM::broadcast(<pk>)
│   └─ ← [Return] 
└─ ← [Revert] EvmError: Revert

Private key:

vm.broadcast(vm.parseUint(vm.promptSecret("Private key")));
revert();

├─ [0] VM::promptSecret("Private key")
│   └─ ← [Return] <secret>
├─ [0] VM::parseUint("0x0002a1b4984c17435bdd23c3e4d172af9217c4f63cac2edfd8044fd673459042") [staticcall]
│   └─ ← [Return] 4649744120560439147230634839216140256104967990126594206675684809117110338 [4.649e72]
├─ [0] VM::broadcast(<pk>)
│   └─ ← [Return] 
└─ ← [Revert] EvmError: Revert

Solution

Add promptSecretUint.

Additional context

No response

ZeroEkkusu avatar May 17 '24 10:05 ZeroEkkusu

Hey @ZeroEkkusu! There exists a promptUint cheatcode, maybe that can help you?

/// Prompts the user for uint256 in the terminal.
#[cheatcode(group = Filesystem)]
function promptUint(string calldata promptText) external returns (uint256);

Then you wouldn't have to use parseUint.

kamuik16 avatar May 18 '24 06:05 kamuik16

Exactly, but it doesn't hide what's being typed in the terminal, like promptSecret does:

Private key: [hidden]

I don't think it would be too difficult to implement promptSecretUint.

ZeroEkkusu avatar May 18 '24 11:05 ZeroEkkusu

Relevant: https://github.com/foundry-rs/foundry/blob/5494c33bc7977b3537bd296e375431d938d44ca3/crates/evm/traces/src/decoder/mod.rs#L385-L709

zerosnacks avatar May 29 '24 16:05 zerosnacks