Assessment reports>Fuelet>Medium findings>Optimizable PasswordManager check
Category: Business Logic

Optimizable PasswordManager check

Medium Severity
Medium Impact
High Likelihood

Description

The Fuelet wallet checks user passwords and PINs by first hashing it with SHA-256 then attempting to decrypt a known value with AES-GCM. This operation is highly optimizable and parallelizable, and the low-entropy PIN can be discovered by an attacker with the ciphertext in seconds.

This validation is performed in fuelet_secure_layer/packages/fuelet_secure_layer/lib/src/features/ password/password_manager.dart:

const _secretToEncrypt = 'fuelet_secure_layer_secret_kmr_wpu0XFM4uaq3kym';

// ...

String _hashPassword(String password) {
  final bytes = utf8.encode(password);

  return sha256.convert(bytes).toString();
}

// ...

Future<String> _createPasswordSecret(String password) {
  final passwordHash = _hashPassword(password);

  return Aes256Gcm.encrypt(_secretToEncrypt, passwordHash);
}

Impact

This issue allows an attacker to quickly discover the user's password or PIN.

Recommendations

The Fuelet team should use a secure hash function such as Argon2 or Scrypt to hash the password.

Remediation

Zellic © 2025Back to top ↑