Exposure of Sensitive Data
Summary
The contract stores sensitive information, specifically a password, in a private variable. While private restricts direct access by other contracts, it does not prevent viewing the data stored in the Ethereum blockchain. Anyone can read this data using a blockchain explorer or Ethereum node.
Vulnerability Details
Deploy the contract on a test network like Rinkeby or use a local Ethereum environment like Ganache.
Call the setPassword function with a test password such as "testPassword123".
Interact with the blockchain (using an Ethereum node or a block explorer that can read contract data) to retrieve the stored data at the contract's address.
Observe that the private password is publicly visible and can be read by any entity interacting with the blockchain.
Impact
Sensitive data is exposed, and any illusion of data privacy is non-existent, defeating the purpose of the contract.
Tools Used
Manual Review
Recommendations
Avoid storing plain sensitive information on the blockchain. Consider off-chain solutions for data that must remain confidential, or use cryptographic techniques to obscure data.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.