Blockchains are public and transparent and should not store private data
Summary
Blockchains are public and transparent which will expose any data, even if is private to the world.
Vulnerability Details
To quote Smart Contract Vulnerabilities :: Unencrypted Private Data On-Chain:
Ethereum smart contract code, storage, and any data transacted on-chain can always be read.
Which means that s_password value, and any update to it using setPassword(string), will expose the value of the password to everyone. The value of the password can be read by viewing the transaction data.
This can be seen by running forge script script/DeployPasswordStore.s.sol --rpc-url ${ANVIL_URL} and then opening broadcast/DeployPasswordStore.s.sol/31337/dry-run/run-latest.json.
Demonstrating that the s_password is sent to the contract in clear text when an update is made.
Impact
The s_password value will be publicly available, therefore any data or service relying on it for security will be vulnerable.
Tools Used
Manual Review and Foundry
Recommendations
Try not store private, secure and/or secret information on blockchains. However, if it is absolutely necessary, it should be encrypted at rest as well as in transit.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.