Challenge 27 ☆☆

Welcome to challenge Challenge 27. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Secrets in smart contracts part 3

Our smart contract developer got somewhat smarter and only stored a hashed secret in his contract. He then checks a input data vs that hash to validate whether or not a transaction returns true or false. He is sure that since the secret is never stored in the internal state of the contract, that it can’t be found.

In this challenge, you need to find the correct secret that has the guess method from the contract 0x8318d477f4BCae5a80BEA22E3c040cf8BaaFFe8B on the Goerli EVM Testnet return true.

Answer to solution :

You can find the correct input to the guess method by:

  1. Comparing hashes:

    • Look up the contract on the Etherscan explorer.

    • Pull the hash from the contract storage.

    • Go through the transactions and then opening the inputs tab and decoding them as UTF-8.

    • Compare the hashes of the inputs from the transactions with the stored hash value.

Why sending secrets as inputs to smart contracts is a bad idea even if they aren’t stored

Inputs to all transactions to contracts, like the state of internal storage of contracts on the chain are stored forever and are easy to query. Inputs to transactions are even visible before those transactions are accepted. This can lead to front-running by a 3rd party who has access to the pool of transactions and can send a transaction (with higher gas) that benefits from the known transaction running after it.