✅Confidential Hash

Idea

private storage variables are not really private, they can be read by anyone if the contract is deployed on-chain.

First we analyze the storage layout:

slot 0: string firstUser
slot 1: uint alice_age
slot 2: bytes32 ALICE_PRIVATE_KEY
slot 3: bytes32 ALICE_DATA
slot 4: bytes32 aliceHash <- Need this
slot 5: string secondUser
slot 6: uint bob_age
slot 7: bytes32 BOB_PRIVATE_KEY
slot 8: bytes32 BOB_DATA
slot 9: bytes32 bobHash <- Need this

We need to read storage slot 4 and 9. To read storage variables, set up Infura Goerli RPC and use cast storage:

cast storage 0xf8E9327E38Ceb39B1Ec3D26F5Fad09E426888E66 4 --rpc-url https://goerli.infura.io/v3/d7d3f714d0f7413cba9ae5a122984f2d // 0x448e5df1a6908f8d17fae934d9ae3f0c63545235f8ff393c6777194cae281478

cast storage 0xf8E9327E38Ceb39B1Ec3D26F5Fad09E426888E66 9 --rpc-url https://goerli.infura.io/v3/d7d3f714d0f7413cba9ae5a122984f2d // 0x98290e06bee00d6b6f34095a54c4087297e3285d457b140128c1c2f3b62a41bd

PoC

https://github.com/ret2basic/QuillCTF-PoC/blob/main/ConfidentialHash/test/ConfidentialHash.t.sol

ConfidentialHash PoC