setPassword does not encrypt the password when it is set, so your password would be visible to all on the blockchain
Summary
This password storage contract would be deployed on the blockchain and interactions with the contract, such as calling setPassword, would be publicly visible.
Vulnerability Details
You have to make a call to setPassword to store your password. That call would be recorded on the blockchain.
Impact
Anyone could read your password in cleartext on the blockchain and then use it to login to whatever site or service the password secures. For example, if it was your banking password, they could drain your accounts. If it was your amazon password, they could buy stuff for themselves with your cards. They could also lock you out of your accounts by changing the password.
Tools Used
Manual review
VS Code
Recommendations
Encrypt your password locally and then upload the encrypted password to the contract. That way getPassword will return the encrypted password which you can decrypt locally. Don't upload a password in cleartext.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.