Sensitive Information Exposed
Summary
Private state variable s_password can be publicly fetched.
Vulnerability Details
The contract password is stored in the blockchain in a private variable. However, due to the very nature of smart contract data storage, this information can still be accessed by any user using getStorageAt and reading slot 1 for the deployed contract (assuming password in bytes and length fit in one storage slot)
Where 6d7950617373776f7264 is the bytes representation of string myPassword.
Impact
Exposing sensitive information such as passwords allows malicious actors to exploit these details, compromising the integrity of the contract and potentially the user's data.
Tools Used
Manual Review
Recommendations
We recommend not storing passwords directly on the blockchain. Alternatively, consider storing only their hash values. If the requirement is to verify ownership, it's advised to use a method that simply checks if msg.sender is the contract's owner as this would provide much more security and privacy than storing the owner's password.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.