First Flight #1: PasswordStore

Summary

Sensitive date like s_password are stored on blockchain and can be read by everyone.

Vulnerability Details

In Ethereum, all data on the blockchain is public, including the data stored as private in smart contracts. Therefore, it's not possible to store private data such as a password in a smart contract in a way that it can't be read by others.

Everyone can see the password stored in the variable s_password without using the getPassword() function and without being the owner.

Impact

The data stored in the private variable s_password is not save and private. Everyone can see it by accessing the blockchain storage. In this case the value of s_password is stored in slot 1 at the storage.
In Foundry the value of s_password can be accessed using the following command:

cast storage addressContract slot

In this particular case I used the command: cast storage 0x5FbDB2315678afecb367f032d93F642f64180aa3 1 and the returned value is:
0x6d7950617373776f726400000000000000000000000000000000000000000014.

The returned value of the provided command is a hexadecimal value. Therefore, it can be converted using the command: cast to-ascii 0x6d7950617373776f726400000000000000000000000000000000000000000014, which returns the password stored in s_password by deploying the contract: myPassword.

Tools Used

VS Code, Foundry

Recommendations

You can store a hash of the password instead of the password itself. This way, even if someone reads the hash from the blockchain, they won't be able to determine the original password.

You can use the Elliptic Curve Digital Signature Algorithm (ECDSA) from OpenZeppelin:
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/ECDSA.sol
And the function setPassword() should be modified to store the hash of the password: