Sensitive data (password) is passed visibly to everyone
Summary
TX call data is readable for everyone, so anyone will be able to read the password set by owner
Vulnerability Details
TX data is readable by anyone, and function call arguments can be extracted, exposing the sensitive password value.
E.g. it can be done like that:
Impact
High
Tools Used
Hardhat
Recommendations
Combined with all the previous reports, probably, just go rugpull, because it will be fully pwned in 5 minutes after release anyway.
However, if this contract really needs to work like it is described, and assuming this is intended to be used by some web2 system that accepts passwords, then better to store not a password, but encrypted value of structure like encode(consumer_publicKey, [password, owner_address]). This will both allow to check the password on web2 side while keeping it private. However, it will be still vulnerable to attack via rainbow tables, which can be prevented with usage of user's signature, so output will be something like encode(consumer_publicKey, [password, owner_address, sign(owner_privateKey, [password, owner_address])]). Extra actions can be taken to fight the signature replay attacks, but this depends a lot on real world application of this contract.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.