No Privacy on the Blockhain - Password not a secret
Summary
Even though the 's_password' variable on line 14 is marked as private anybody can still retrieve it.
Vulnerability Details
An attacker may not be able to simply call a getter function but they can read the contract and calculate the slot where the variable is stored. From there they can inspect the blockchain and the contract's memory. Finally they can decode the data.
Impact
Medium - If you are storing a password that protects sensitive data then this whole contract becomes pointless. However if you use the contract knowing this then maybe you can just store partial data and keep the rest of the data offchain. Similar concept to a public-key and a private-key, one you can leave out in public (like this contract) and one you keep hidden in your sock drawer.
Tools Used
Manual Inspection
Recommendations
Either don't use this contract or only store encrypted or partial data.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.