s_password is not secret on the blockchain
Summary
s_password is not secret and can be seen by anyone one the blockchain.
Vulnerability Details
There are actually 2 ways to leak the value of s_password:
Private state variables are not actually "private". Even though there is no getter function, they are stored in storage slots and can be read from the blockchain.
Transactions are visible by anyone, as such, once s_owner calls getPassword(), the return value will be recorded in the blockchain and anyone can see what s_password is.
Impact
Off-chain code or external contracts that depends on s_password to be secret would be compromised. Depending on the logic being implemented, funds could be stolen or whole protocol could be bricked.
Tools Used
Manual review.
Recommendations
Store a hash of s_password and only return the hash. Don't return s_password in getPassword.
Or if possible use OpenZeppelin's Access control libraries.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.