`s_password` can be read by anyone.
Summary
Private variable is not really private, anyone can have access to the variable due to the nature of the blockchain.
Vulnerability Details
Step 1:
Deploy the contract to the Sepolia testnet for demo.
Contract address : 0x6b029c90F0B8E409E3E8efE870974DBE83D0137B
Step 2:
save my password using setPassword(). password is exposed_password
Step3:
Retrieve using javascript.
This will read the from the deployed contract's storage slot and return exposed_password
Impact
Others will be able to see the leaked password.
Tools Used
Manual Review
Recommendations
DO NOT save your password or any sensitive data on the blockchain. If you absolutely need to use, encrypt the string off-chain before using this contract.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.