Passwords are visible on chain
Summary
Stored passwords are visible on chain.
Vulnerability Details
Passwords are stored in a private variable called s_password. Private variables are only private for the smart contract scope which means they can't be accessed or modified from other smart contracts. But their values can be read freely outside the blockchain by anyone.
Impact
High.
Tools Used
n/a
Recommendations
Store an encrypted version of the password instead of a plain text password. Store your decryptions key off chain.
Or possibly just keep everything off chain, your password does not need to be there. If you need some sort of web3 authentication, you can use your own signed messages for that.
Note: if you choose to store encrypted passwords on chain, beware that even that comes with its risks, as encryption algorithms can have critical vulnerabilities that are only found several years later. Quantum computing could also ruin your encrypted passwords in the long run.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.