Password can be read from storage directly
Summary
Labeling a state variable private does not make it invisible. Anyone can query the state variable s_owner directly from the blockchain.
Vulnerability Details
I deployed this contract to Goerli testnet at 0x19AF1A4CB716eFd897827B472BdE854D6A1c98f7 and I set the password to 0x1337. You can verify that it is impossible to call getPassword() to get the password for everyone other than the owner:
https://goerli.etherscan.io/address/0x19AF1A4CB716eFd897827B472BdE854D6A1c98f7#readContract
One way to obtain the password is to use cast storage:
The return value is 0x307831333337000000000000000000000000000000000000000000000000000c, where "307831333337" is the ASCII representation of the string "0x1337".
Another way to do this is to inspect the setPassword() tx on decode the calldata:
https://goerli.etherscan.io/tx/0x65cfbd7ea420a58a1a1fbe99a44a2f06b72a5866c3a00f501d0f26d1e45cb771
Impact
Anyone can read the password.
Tools Used
Manual review
Recommendations
Store the password off-chain or encrypt it.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.