[M-0] Incorrect assumption about privacy makes sensitive, private data publicly available
Summary
The developer of the PasswordStore smart contract has the assumption that using private state variables will add an extra layer of privacy for password stored in the contract.
Vulnerability Details
The state variable - s_password has the private visibility. This means it is only accessable via the PasswordStore contract and not in inherited contracts or externally but the all data stored in a public blockchain are publicly viewable.
Impact
Sensitive data stored in s_password is pulblicly viewable on-chain thus, anyone can access it and use it for an exploit directly affecting the deployer/owner.
Tools Used
Manual Review
POC
Not required.
Recommendations
Usage of encryption techniques or simply hashing the password off-chain using the keccak256 hashing algorithm and storing the hash output adds an extra layer of privacy for sensitive data but not the best solution as the keccak256 algo is deterministic (same input always produce same output). However, It should be helpful in this context.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.