Nothing on the blockchain is truly secret.
Summary
The contract assumes a stored password would not be visible by anyone but the owner. However, nothing on the blockchain is truly secret.
The s_password is part of the contract's state and as such can be retrieved using tools freely available on the Internet.
For the local (anvil) case forge and cast tools can be used.
Vulnerability Details
The steps to retrieve the value of the stored password follow:
Find out the slot number of the variable we are interested in. In the concrete case we are interested in s_password which happens to be stored in slot 1.
The contract is deployed on address 0x5FbDB2315678afecb367f032d93F642f64180aa3. With the cast tool we can query the value of every slot and decode the result:
We can see the password in plaintext
Impact
High
Tools Used
Manual review was used.
No automatic tools for code analysis were used.
Standard tools described in https://book.getfoundry.sh/ were used to deploy, test and query the contract.
Recommendations
Don't use public blockchain for password storage.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.