`s_password` is publicly visible in transaction data
Summary
s_password is publicly visible in transaction data during each setPassword function call.
Vulnerability Details
Every time the owner calls setPassword anybody can access transaction data on the blockchain. For instance, if the owner calls setPassword() with "myPassword" the transaction data would look like this:
0x290bb4530000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000a6d7950617373776f726400000000000000000000000000000000000000000000
The first 4 bytes 0x290bb453 encodes the function. The rest encodes the parameter newPassword which can be decoded as bytes32 to myPassword.
Impact
Exposing sensitive data to the public puts users at risk of unauthorized access, identity theft, and other malicious activities.
Tools Used
Manual Review
Recommendations
Use other, off-chain, methods to store the password.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.