Challenge 25 ☆☆

Welcome to challenge Challenge 25. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Secrets in smart contracts part 1

On public blockchains, everything that is written on-chain is world-readable.

In this challenge, you need to read the variable named secret from the contract 0x8b72f7cbAD50620c46219ad676Ad9d3a5A273587 on the Goerli EVM Testnet.

Answer to solution :

You can solve this challenge by the following steps:

  1. Look at the storage in Etherscan:

    • Look under the contract creation transaction on Etherscan

    • Go to state and look at storage.

  2. Look at the input data in Etherscan:

    • Look under the contract creation transaction on Etherscan

    • Have a look at the input data.

  3. Use Infura with web3js at Infura:

    • Create an Infura key at Infura.

    • Write a simple script with web3js to call the view function on the public string "secret"

  4. Do a storage request at Infura:

    • Create an Infura key at Infura.

    • Read the storage at position 0 for the contract like:

      curl https://goerli.infura.io/v3/${<your-infura-key>} \
      -X POST \
      -H "Content-Type: application/json" \
      -d '{"jsonrpc":"2.0", "method": "eth_getStorageAt", "params": ["0x8b72f7cbAD50620c46219ad676Ad9d3a5A273587", "0x0", "latest"], "id": 1}'

Why storing secrets on the blockchain is a bad idea

You should never commit any secret to the blockchain. All data is public. Especially when a variable is public, it is very easy to read.

Still need to use a secret? Make sure it is part of a supporting system (E.g. an external service you create).