getPassword() uses msg.sender which can be spoofed
Summary
The getPassword() function is a view which can be called with arbitrary msg.sender as it does not require a transaction.
Vulnerability Details
If the attacker knows the address of the s_owner they can call the getPassword() function, spoofing the msg.sender as that of the owner, resulting in disclosing the password.
The s_owner address can be obtained by using cast storage to read the value of the variable if the address of the contract is known.
First, obtain the address of s_owner by reading storage slot 0 of the contract:
The address of s_owner will be the right hand half: 0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266.
Pass this address as the from address via a cast call:
Pass the returned value to to-ascii to read the value:
You can see that the value of myPassword was obtained, without knowing the private key of the s_owner address.
Impact
The value of password which should only be accessible by the contract owner is actually accessible by any account.
Tools Used
foundry
cast
Recommendations
Require calls to getPassword() to be a transaction, which will require msg.sender to be valid. Alternatively, you can implement a public/private key setup, where the getPassword() function accepts input of a signed message, this signature is then validated by the function using the public key, and only revealing the password after the signature is validated.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.