Avoid putting sensitive information in the blockchain without encryption.
Summary
Any data stored on the blockchain can be read by external users. So, avoid putting sensitive information like password without encryption on the blockchain.
Vulnerability Details
This contract PasswordStore.sol store password for an owner and that password is actually a string data type. That password is set to s_password private field. Even if s_password is private, the password stored can be easily read by external users.
An example is using web3.js library:
Web3.js allows you to reach into contract storage via:
await web3.eth.getStorageAt(contractAddress, slotNumber)
According to the above definitions we can read what is stored in the password variable via:
await web3.eth.getStorageAt(contractAddress, 1)
Impact
Sensitive information like password if falls in hand of malicious party can cause serious grief for the owner.
Tools Used
Manual Analysis
Recommendations
You can also store a cryptographic HASH instead of plain string for password. This HASH is just a bunch of characters that will not make any sense to an observing party and hides the password from the third party. People can use the hash to verify authenticity
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.