Data Disclosure - Password is stored in a string.
Summary
Password is stored in a string variable can be easily read by anyone who has access to the smart contract, which can lead to a malicious user gaining access to the smart contract.
Vulnerability Details
Passwords should not be stored in a string in Solidity because strings are plain text and can be easily read by anyone who has access to the smart contract.
Impact
If an attacker were to gain access to the smart contract, they would also have access to all of the privileges associated with it.
This will lead to a loss of access to the smart contract and the funds stored in it. It could also lead to DoS.
Tools Used
Vs Code, Remix
Recommendations
Passwords should be stored as a hash. A hash is a one-way function that converts a string into a unique value. This means that it is impossible to reverse a hash to get the original string. This makes it much more difficult for attackers to steal passwords, even if they have access to the smart contract.
To store a password as a hash in Solidity, we can use the keccak256() function. For this, the type of password has to be bytes rather than string.
This function takes a string as input and returns a 256-bit hash.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.