Search code examples
githubnearprotocol

Security of smart contract data not returned by a view function

I've been looking through some of the NEAR demos and came across the one regarding posting quizzes that can be answered for a reward.

Source code here: https://github.com/Learn-NEAR/NCD-02--riddles

Video here: https://www.youtube.com/watch?v=u4jP2a2mbiI

My question is related to how secure the answer hash is. In the current implementation, the answer hash is returned with the quizzes, but I imagine it would be better if that wasn't the case. Even then, if the hash was stored on the NEAR network without it being returned by any view functions, how secure would that be? If there was code in this contract to only give a certain number of guesses per account before denying additional attempts, would someone be able to get the hash through some other means and then have as many chances to answer as they want by locally hashing answers with sha256 and seeing if one matches?

Thanks, Christopher

Solution

  • for sure all data on chain is public so storing anything means sharing it with the world

    one reasonable way to handle something like this would be to store the hash but accept the raw string and then hash it to compare the two for a possible win

    if you choose a secure hashing algorithm then it would be nearly impossible to guess the required input string based on seeing the hash

    update: it was poined out to me that this answer is in incomplete or misleading because if the set of possible answers is small then this would still be a bad design because you could just quickly hash all the possible answers (eg. in a multiple choice question) and compare those hashes with the answer

    heads up!

    everything in that GitHub org that starts with NCD is a student project submitted after just a week of learning about NEAR

    so there is a huge pile of mistakes there just waiting to be refactored and commented on by experts in the community

    the projects that are presented for study all start with the prefix sample

    those are the ones we generated to help students explore the possibilities of contracts on the NEAR platform along with all our core contracts, Sputnik contracts and others

    sign up to learn more about NEAR Certified Developer Programs here: https://near.training