`s_password` content is accessible via blockchain inspection
Summary
The PasswordStore.sol contract has a vulnerability where the stored password can be directly read from the contract's storage on the Ethereum blockchain.
Vulnerability Details
The content of the s_password variable can be accessed directly without interacting with the contract's functions.
Exploit scenario:
Initial state:
-
The PasswordStore contract is deployed on the Ethereum network.
-
The owner has set a private password using the
setPasswordfunction.
Step 1: An attacker inspects the storage of the PasswordStore contract directly using the Foundry command
cast storage <ADDRESS> [SLOT]
or Web3
web3.eth.getStorageAt(address, position)
and reads the content of the s_password.
Outcome: The attacker successfully retrieves the password without using the contract's functions.
Impact
The core functionality of the contract, which is to store a password and prevent others from accessing it, is compromised.
Tools Used
Manual review
Recommendations
Do not store passwords directly on the blockchain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.