Password is not privately stored as expected, rather accessible to anyone
Summary
The PasswordStore smart contract is designed to store a password privately. However, the password is not encrypted—which even so would be questionable—making it easily accessible to anyone who can read the blockchain's data.
Vulnerability Details
The password is stored as a private variable in the contract. While this restricts other contracts from accessing it directly, it doesn't prevent it from being visible on the blockchain. Anyone with knowledge of how to read contract storage or analyze transaction data can easily retrieve the password. Tools like Etherscan or scripts using web3.js or ethers.js can be employed to access the stored password.
Impact
The password's privacy and security are compromised. Users relying on this contract to store sensitive passwords are at risk of having—and will have—their passwords exposed to malicious actors or unintended third parties.
Tools Used
Manual analysis.
Recommendations
If you really want to implement this in a smart contract, use encryption or hashing mechanisms to secure the password before storing it on the blockchain. Alternatively, consider local or off-chain encrypted storage solutions.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.