Anyone can see the "private" password
Summary
The core functionality of the PasswordStore contract is fundamentally flawed. The contract is supposed to store the private password that people other than the s_owner won't be able to retrieve. However, anyone can access the storage variables of the contracts on the Ethereum blockchain. Therefore the password can be read by anyone, violating the privacy claim.
Vulnerability Details
The variable s_password is declared as private and the getter method getPassword() is checking if the caller is the owner of the contract. However, that does not make the password private. The storage is publicly accessible to anyone. The attacker may read the password directly from the chain using, for example, Foundry cast storage command.
Impact
The sensitive data, supposedly secret, is publicly visible to anyone.
Tools Used
Manual review
Recommendations
Do not store any sensitive private data on-chain. If you absolutely have to store your password in the contract, encrypt it off-chain before storing it on the Blockchain using a secure encryption algorithm.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.