Unencrypted confidential data stored on-chain.
Summary
Value of s_password is not encrypted before storing it on-chain.
Vulnerability Details
Values of private state variables in a smart contract can be accessed by referrering to the storage slots. Each storage slot occupies 32 bytes of storage.
In the given smart contract PasswordStore, there are 2 state variables:
The data type address occupies 160 bits or 20 bytes, while the data type string occupies 32 bytes. So the variable s_owner occupies slot 0 and the variable s_password occupies slot 1.
Impact
Value of the variable s_password can be accessed by reading the value of slot 1 of the PasswordStore smart contract like this:
Tools Used
Manual review
Recommendations
This could be solved by encrypting the password using the owner's public key before storing it on chain. Then while retrieving the password it needs to be decrypted by the owner's private key, so the only person who can make sense of the encrypted password is the owner.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.