Clear text password can be seen using Etherscan or by examining contract memory from a client
Summary
Clear text password can be seen using Etherscan or by examining contract memory from a client
Vulnerability Details
Despite the PasswordStore:s_password variable being private it can still be seen in transaction on Etherscan and by examining memory from an Ethereum client (ex. web3.eth.getStorageAt() - not demonstrated in this finding ).
This can be seen in this transaction
and in this screenshot from Sepolia Etherscan
Impact
High
Tools Used
Visual Studio Code
Etherscan
Recommendations
All clients using this contract should be written such that the password being passed as a parameter to setPassword() is encrypted. Additionally, clients calling getPassword() will need to be written to unencrypt what is returned from the contract. The encrypted password is still exposed, but getting to the actual unencrypted password will be extremely difficult or impossible.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.