s_password can be viewed by anyone
Summary
Despite being marked as private variable, s_password can still be viewed outside of the blockchain using etherjs. (https://quillaudits.medium.com/accessing-private-data-in-smart-contracts-quillaudits-fe847581ce6d)
Vulnerability Details
As the logic of the contract, s_password can only be viewed by the owner. Basing on this assumption, the developer used private state for this variable. But this assumption is wrong because:
"Making something private or internal only prevents other contracts from reading or modifying the information, but it will still be visible to the whole world outside of the blockchain." - official docs: https://docs.soliditylang.org/en/v0.8.18/contracts.html#visibility-and-getters
Impact
s_password is leaked for anyone to read.
Tools Used
Manual Analysis
Recommendations
Do not store sensitive information, like in this case, the password directly on the contract. Encrypt the password first or simply stored it on 3rd party such as IPFS...
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.