owner's password can be seen by anyone
Summary
The value of s_password can be seen by anyone.
Vulnerability Details
Despite the fact of providing "private" keyword to the variable s_password, a malicious actor can still see the private password stored there. The terms "private" or "public" only refers to the capability of a smart contract to make it easier for developers to get access to the respective variable (providing getter method).
Impact
The impact of this vulnerability will depend on the purpose of this secret password. With a bit of social engineering, a malicious actor can use it to hack into the owner's private stuff.
Tools Used
Manual.
Recommendations
Allways keep in mind that in smart contracts, any variable can be seen by users (because of its public bytecode nature). With that, private passwords should never be stored as a variable.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.