The password can be accessed through reading the contract's storage
Summary
Storing sensitive data on-chain is never safe. Sensitive data must never even be stored on the blockchain, as anyone can reverse-engineer the bytecode and reconstruct the data.
Vulnerability Details
Blockchain data, including storage, is immutable and publicly accessible. Once data is stored on the blockchain, it cannot be deleted or modified. This means that sensitive information, such as passwords, is permanently exposed to anyone with access to the blockchain, which is a significant security risk. Even if the data is initially kept private, it could be accessed and viewed by anyone in the future.
Proof of Concept
-
Use the command
cast storage <contract_address> 1to access the bytes32 version of the second stored variables_password. -
Parsing a string from bytes32 result with
cast parse-bytes32-string <encoded_password>would decode the password.
Impact
Exposing sensitive data to the public puts users at risk of unauthorized access, identity theft, and other malicious activities.
Tools Used
Manual Review
Recommendations
Use other, off-chain, methods to store the password
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.