Everyone can get the password value.
Summary
The s_password value is accessible by everyone.
Vulnerability Details
The s_password variable is used to store the password. However everyone can get it's value despite being marked as private and despite the getPassword function having a check if the msg.sender is the owner of the contract.
Impact
Everyone knows the password.
Tools Used
Manual Review, Foundry
Proof of Concept
There are 2 ways that we can get the s_password value.
Read the
setPasswordtx data.Get the storage slot value.
1. Read the setPassword tx data.
A user can simply check the tx data of the setPassword and see what the new password is.
2. Get the storage slot value.
Everything on the blockchain is public and we can see all variables data by getting the slots they are stored in. To get the stored slot 1 in which the password is, type cast storage contractAddress 1 in the terminal. The result will be 0x6d7950617373776f726400000000000000000000000000000000000000000014. If we take this part of the result: 6d7950617373776f7264 and put it in a Hex to String converter, we get myPassword, which is the password the owner set.
Recommendations
Store the password off-chain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.