Storing s_password unencrypted makes the password readable by anyone
Summary
The Passwordstore::s_password is not encrypted in any way and stored on-chain. It is publicly visible.
Vulnerability Details
Even a variable marked as private is publicly accessible. By accessing the contract's immediate storage anybody can see the password's byte representation, which can be easily converted to its corresponding string.
s_password occupies the second storage slot in Passwordstore and could be read.
Using foundry cast:
Impact
The supposed secret password is visible to anyone at any time.
Tools Used
foundry
manual review
Recommendations
Generally private data should not be stored on-chain. s_password should be encrypted to ensure it is only readable by the owner.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.