Private state variables can be read
Summary
State variables set as private are vulnerable to attacks. As the state variable password set here in private, the password can be hacked!
Vulnerability Details
EVM stores the state variables in a huge array of 2**256.Each slot can upload 32 bytes, whereas address type contains 20 bytes. So the address state variable will stored to EVM slot0 & there is still 12 bytes left. As private state variable uses string keyword so depending on the string bytes it could be stored in slot0 if string bytes < 12 bytes. Otherwise it would stored in slot1. Now using the contract address after deploytion, utilizing truffle console the slots data can be found out and ultimately the password that were meant to be private is in front of you!
Impact
The contract now is owned by the attacker. Original owner cant access the contract again as the attacker will change the password.
Tools Used
Manual Review
Recommendations
Never store sensitive data on the blockchain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.