Public Password Disclosure in PasswordStore.sol
Summary
The contract makes the wrong assumption that the data it contains will not be visible to the public. It is incorrect in the blockchain paradigm as all the contract's data, including its variables, is can be read publicly.
Vulnerability Details
After deployment, PasswordStore.sol gives the contract's owner the capability to set a password represented by the s_password variable. The private visibility only prevents other derived contracts from reading the content of a given variable. The information remains visible to the public.
For more information, please refer to:
https://docs.soliditylang.org/en/latest/contracts.html#visibility-and-getters
Impact
Disclosure of sensitive information (passwords, passphrases, etc.).
Tools Used
Foundry, VSCode, Remix
Recommendations
Reconsider the intended design of the application and whether blockchain technology is as an adequate choice.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.