The Password It's Not Secret As Assumed
Summary
A common misinterpretation is assuming that declaring state variables in smart contracts as private or internal protects the data from being accessed by anyone.
One of the key characteristics of Ethereum is its high auditability because all data is public, regardless of state variables visibility specifiers.
Vulnerability Details
The developer declared s_password as private and created a getter that only the owner can access to read the stored password:
Although the access control check does prevent non-owner accounts from reading the password with the getter, the password is still accessible through other means.
To demonstrate the vulnerability I deployed an instance of PasswordStore.sol on the Sepolia testnet at the following address 0x911Ad16d96bF2DEF8fF935C3dDe77f2f9f907306.
With the help of Foundry's command-line tool Cast, we can make a RPC call to read the "secret" password using the following command:
The command will print the password on the terminal: myPassword.
Impact
The password isn't secret.
Tools Used
Cast, Foundry and VS Studio Code.
Recommendations
Do not store passwords or secrets on-chain unless they were safely encoded or hashed.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.