Private password is visible by everyone
Summary
Anyone can see the private s_password variable.
Vulnerability Details
On blockchains nothing is really private, by defining a private state variable it only means it is only accessible by the contract itself and are not interactable outside of it, anyone using tools like Ethersjs or Foundry can see the contracts storage, revealing the UTF8 which can be easily converted to a clean string revealing the password without being the owner.
Using Foundry this is done by simply calling cast storage CONTRACT_ADDRESS 1 --rpc-url RPC_OF_THE_NETWORK_DEPLOYED. the 1 there means the password value is stored at position 1 because 0 is storing the s_owner, by calling this we can retrieve this utf-8 0x6d7950617373776f726400000000000000000000000000000000000000000014, the first hex values is a utf conversion of the password which can be decoded here: https://browserling.com/tools/utf8-decode, revealing the string "myPassword"
Impact
Everyone can see the s_password value without being the owner.
Tools Used
Cast - Foundry
UTF-8 decoder - https://www.browserling.com/tools/utf8-decode
Recommendations
Do not store any secrets on the blockchain, at least not by storing important things on private variables. This might be doable by using ZK tech but the current design is flawed.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.