The PasswordStore::s_password
variable is a password stored on the blockchain, and can therefore be accessed by anyone.
As soon as a password is set it will be accessible forever by anyone because the storage of smart contracts is public. Therefore, it can be read by the transaction details or by querying a node for the content of the slot that stores the variable.
The impact is high because the protocol does not work as it should. Nobody wants to store his password in a place where it can be read by anyone.
Foundry
Store passwords on the blockchain is not recommended. It depends on what your purpose is, but you may prefer to encrypt it off-chain, with a salt known only to you, and then store it on-chain.
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.