New passwords could be retrieved from transaction input data
Summary
If the contract is verified through etherscan or other similar tools, transactions that set a new password will have their input data decoded by default and the value of new password will be visible to everyone.
Vulnerability Details
The input data of a transaction will contain the new password to be set when calling the setNewPassword function. If the contract is verified (the make file suggests it will be verified on etherscan), then transaction input data can be decoded and the password retrieved. The s_Owner variable can be read from storage and then a block explorer can be used to view the transactions associated with the owner. Any transactions interacting with the contract can be investigated.
Impact
Anyone can read the passwords the owner sets
Tools Used
Foundry, Solidity Visual Developer, VS Code, Etherscan
Recommendations
If this is for personal use, do not verify the contract.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.