"s_password" meant to be secret can be viewed by anyone on-chain
Summary
The contract uses "s_password" to store the secret password. However, it supposes that "private" is enough to keep it secret, but anyone can analyze on-chain the storage and retrieve the secret password.
Vulnerability Details
The only meaningful difference between a public and private variable is that a public variable has a "getter" function to anyone retrieve it's value easily. A private variable is still retriable, the attacker just need to analyze the storage of the smart contract, which would be slot 1 in case of "s_password". So, the secret password is actually visible for anyone.
Impact
Any user can retrieve the secret password via smart contract storage review.
Tools Used
Manual Review
Recommendations
Never store sensitive data on-chain. If you really want, at least try to store in as a hash (and the input need to be a hash too).
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.