Users can bypass `getPassword` to read `s_password` variable
Vulnerability Details
The getPassword function includes access control to check if the caller is the owner, the s_password string is stored on-chain in a private state variable. However, due to the transparency of the blockchains, any user can read the s_password string directly from storage slots, bypassing access control.
The PasswordStore contract is deployed at address 0x5FbDB2315678afecb367f032d93F642f64180aa3.
The s_password is stored in slot 1. To read the variable, execute the following command:
The output of the command is 0x6d7950617373776f726400000000000000000000000000000000000000000014, which translates to myPassword, the same value used during deployment.
Impact
Any User can read s_password variable.
Tools Used
Foundry's cast
Recommendations
Blockchains are inherently transparent, making them unsuitable for storing private data on-chain. A more advisable approach would involve using a web2 database to store the data and storing only hashes on the blockchain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.