Non owner user can access the password.
Summary
Any user can access the password as they want even if they are not the owner.
Vulnerability Details
Contract uses string private s_password; variable at Line #14 to store the password in the storage. But since everything is public in the blockchain anyone will have access to this password if they can read the storage.
In foundry we can use cast storage ContractAddress to get the full storage layout of this contract. Or we can use cast storage ContractAddress, StorageSlotOfPassword to access the stored password.
Alternatively we can use const contents = await web3.eth.getStorageAt(contractAddress, StorageSlotOfPassword) .
Impact
Impact of this vulnerability is high since it defeats the whole purpose of the contract. Password is supposed to be private but anyone will have access to it.
Tools Used
Manual review and Foundry.
Recommendations
Do not use blockchain to store passwords as strings, everything in the blockchain is public data.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.