private stored password and value is accessible
Summary
While private variables are not directly accessible from external contracts, security vulnerabilities or exploits may still exist
Vulnerability Details
after deploy the contract and check the its bytecode found that
slot 0 is for storing the address value of s_owner
slot 1 is for storing the string value of s_password
Impact
the status variables is stored publicly in Block itself as stored data can be retrieved , for that its value is permanent on chain and by using the bytecode for the block and reverse every slot you will see the s_password and s_owner value clearly , which can be monitored and used
Tools Used
testing with foundry and anvil to track the block exchanges
Recommendations
saving sensitive data in hash form by using keccak256 , thats allow retrieve the hashed data and and compare with keccak for input data to validate its the same.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.