private visibility
Summary
In Ethereum, the private visibility for state variables in a contract means that they are not directly accessible from outside the contract. However, it's important to understand that Ethereum's design and architecture make it difficult for anyone to truly make a variable completely private.
While it's true that contract storage slots can be accessed using low-level functions like web3.eth.getStorageAt, it's not a straightforward process to access private variables, and it may require knowledge of the contract's storage layout. Even then, it's generally considered unethical and potentially illegal to access private contract storage without authorization.
Vulnerability Details
The "s_password" within the contract can always be read through "vm.load" of Foundry or "web3.eth.getStorageAt" by bypassing slot 1 and the contract address.
Impact
Tools Used
forge test
Recommendations
Recommend using encrypted strings or centralized storage for passwords, or consider alternative zero-knowledge proof solutions.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.