Anyone can read a private storage in Ethereum Smart Contract
Summary
Anyone can read a private storage variable in a Ethereum Solidity Smart Contract.
Vulnerability Details
Marking storage as private only makes it not be read by any other smart contract directly, but it can still be read by any person with enough knowledge to read a certain slot and certain type of variable (in this case string).
Impact
The stored value is a password, so it can be considered a high-impact vulnerability, considering what the password provides access to.
Tools Used
Manual Review is done to find this vulnerability.
Reference used: https://medium.com/@0xZorz/how-to-read-dynamic-strings-directly-from-storage-using-foundry-a4f43aa020fb
Recommendations
Storing sensitive data in ethereum is not advised. If there is a need to store data, some sense of strong encryption is recommended, where the final encrypted data should only be stored in the blockchain, and use a reveal mechanism off chain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.