Plain text password storage
Summary
Inside this smart contract we are storing sensitive user data as plain text.
This is a huge no-go and should be changed ASAP.
Vulnerability Details
Inside the 'setPassword' function we are storing the password as plain text string.
Due to the transparent nature of blockchains like Ethereum, storing plain text passwords would expose them to everyone.
Impact
CRITICAL. Never store any sensitive data as plain text. NEVER
Tools Used
Vs Code
Foundry
Recommendations
If you must store a password on-chain (which itself is rare and not recommended), always store a hash of the password.
Use keccak256 for example to hash the password before storing it on the blockchain.
After storing the password in a hashed state, we will not be able to see the password in plain text again if we would want to check it via the 'getPassword' function.
You could invert it by letting the user input a password, hash it and compare it with the stored password to see if its correct.
This is a slight drawback in user experience but neglectable if you consider the security aspect.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.