s_password can be read by anyone leaking sensitive data
Summary
The variable s_password is stored as a string private, and is intended to hold sensitive information only accessible to the owner of the contract. However, variable contents are publicly readable on the blockchain and this variable can easily be obtained by non-owners.
Vulnerability Details
Knowing the smart contract address, anyone can use tools like web3.eth.getStorageAt() or cast storage <address> 1 to obtain the value of the s_password variable, leaking the sensitive password to unauthorized users.
Obtain the contract address and use the below Foundry command to read the raw storage value in slot 1.
The returned value can be sent to cast --to-ascii to convert this to the string:
As you can see, this has revealed the password that was initially set on contract deploy.
Impact
The sensitive password can be revealed to anyone who knows the smart contract address.
Tools Used
foundry
cast
Recommendations
Do not store sensitive data on the blockchain as the entire smart contract and variable data are publicly viewable on the blockchain as demonstrated above.
This application should be designed so that the data stored on the blockchain is encrypted. For example, setPassword() could only accept and store within s_password the encrypted value handed to it. It would then be up to the owner to encrypt and decrypt the contents off chain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.