Password visible as blockchain data is public
Summary
Common misconception that data on the blockhain in private variable is private and not viewable by anyone else. Additionally some think since blockchain involves cryptography data is encrypted.
Vulnerability Details
The password once stored on the blockchain is no longer a secret as it is visible to anyone. It is very easy to look up what is stored in the seconds storage slot containing "string private s_password"e.g web3.js using
Impact
Password is leakable, leaked so PassWordStore contract is not safe, secure and working as expected
Tools Used
Manual Analysis
Recommendations
Consider storing encrypted password online and offline have a decrypting and encrypting software encrypt password before storing on blockchain and decrypt once retrieved from blockchain
However most important is that blockchain is not the best place to store passwords or private, confidential data even encrypted as the encrypted data gives information to hackers where to start to try figure out your password
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.