Plaintext Passwords: theft opportunity
Summary
The password is stored in plaintext. This is a critical issue as it allows anyone to read it. Additionally, the password is passed as a parameter to the setPassword function: this means that anyone can read the password by decoding the calldata of a transaction that calls the setPassword function.
Vulnerability Details
The password is passed as plaintext as newPassword in:
And is then stored directly in the contract storage with:
Impact
Anyone can read the password as it's broadcasted to the blockchain in plain text.
Tools Used
Recommendations
A password should be encrypted using a hash function. The choice of the hash function will depend on the network the contract is deployed at (e.g., keccak for an EVM-chain, Pedersen or Poseidon for a ZK-rollup such as Starknet).
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.