s_password is publicly accessible, therefore allowing anyone to retrieve it
Summary
The s_password string variable is publicly accessible, therefore allowing anyone to retrieve the stored password.
Vulnerability Details
The protocol's goal is to allow only s_owner to call getPassword() and retrieve the stored password in s_password. However, the s_password variable is publicly accessible, since all data stored on EVM compatible blockchains is publicly accessible. The variable's visibility being set to private is irrelevant in this context.
Impact
Anyone can retrieve the stored password in s_password, therefore rendering the entire protocol's goal useless.
The following Foundry commands show how to retrieve the s_password from a deployed instance of PasswordStore:
Tools Used
Foundry
Recommendations
Don't use this protocol at all, since it's generally a bad idea to store private data on EVM compatible blockchains.
If you insist on using this protocol, you can encrypt the password off-chain before storing it. However, in this case you need to store the encryption key off-chain, which renders the protocol redundant as you could use the encryption key or part of it as your password.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.