Any user can view the stored password on the blockchain, which may lead to password leakage
Summary
Based on the features of EVM, any data we pass into the function arguments will be visible on the blockchain. Thus, if you store the password on the blockchain, it will be visible to anyone.
Vulnerability Details
Every time we call the PasswordStore::setPassword(string memory newPassword) function and pass the password, the passed arguments will be recorded and visible in the transaction. This way, anyone can view the saved password.
Impact
Any user can see the saved password, which may result in loss of access to the service for which the password was saved.
Tools Used
Remix
Etherscan
Recommendations
It is highly undesirable to store sensitive data on the blockchain, since anyone can see it both in the transaction and in the storage itself. As a last resort, in the place where the contract will be used (for example, in the front-end), before calling the function, it is necessary to hash it and store the hash of the password in the blockchain. But it is better not to store sensitive data on the blockchain at all.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.