Anyone can see the password when "getPassword" is called.
Summary
"getPassword" method is used to allow the owner to retrieve the secret password. However, blockchain is public, so anyone can analyze the transaction for "getPassword" and see the return value, which is the secret password.
Vulnerability Details
A basic transaction review with "cast" is enough to decode the transaction return values and see the retrieved "s_password", which was supposed to be secret.
Impact
Anyone, not only the owner, can see the password when the method "getPassword" is called.
Tools Used
Manual Review
Recommendations
Don't store any private data on-chain. However, to make "getPassword" method less vulnerable you can return the password as a hash. It would still be vulnerable because the contract relies on sensitive data, but the attack surface would be lower now that the attacker only can get the password via storage review or breaking the hash.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.