The storage variable s_password can be viewed by everyone
Summary
The storage variable s_password that is supposed to be kept private just for the owner can be obtained by everyone
Vulnerability Details
Declaring a storage variable as private just means that only the smart contract can get this data ON-CHAIN. However, everyone can get the value of all storage variables of all deployed smart contract just by knowing the contract address and the storage slot where the variable is stored.
Impact
High, sensible data leakage
Tools Used
Manual Review
Recommendations
Sensible data can not be stored directly into the blockchain. Probably the best recommendation to store private data on-chain is by hashing the data and storing the hash. Then once the data is needed to be obtained/checked, the user has to compare if his guess for the password being hashed matches the stored hashm if it does, this is the password, if not no.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.