Smart Contract / Unencrypted Private Data on-Chain

Description

Unencrypted Private Data On-Chain is a type of software weakness classified in the Common Weakness Enumeration (CWE) directory as CWE-310. It occurs when private data is stored on the blockchain in an unencrypted form, making it open to malicious actors who can access the data. This vulnerability is present in Smart Contract (SWC) code and can be identified through observation and code review.

Risk

The risk associated with this vulnerability is high as it puts the data stored on the blockchain at risk of being stolen or manipulated. Unencrypted data stored on-chain can be accessed by anyone with access to the blockchain, leading to potential data theft or manipulation. As such, it can lead to data breaches, financial and reputational losses, and even legal action.

Solution

The solution to Unencrypted Private Data On-Chain is to ensure that all private data is encrypted before it is stored on the blockchain. Encryption helps protect the data from being accessed or manipulated by malicious actors. The OWASP Testing Guide recommends using strong encryption algorithms, such as AES-256 or RSA-2048, to ensure that data is properly secured. Additionally, if the data must be stored on the blockchain, it should be encrypted before it is stored and decrypted only when it is needed.

Example

The following code example is taken from the CVE directory and is an example of Unencrypted Private Data On-Chain vulnerability. This code stores a private key on the blockchain in an unencrypted form, making it accessible to malicious actors.

contract PrivateData {
    string privateKey;
    function storePrivateKey(string key) public {
        privateKey = key;
    }
}