Everyone can read the password
Summary
Even though s_password is a private variable and getPassword can only be called by the owner, due to the nature of the blockchain anyone can still read the password.
Vulnerability Details
Theres multiple ways people can read the password of this contract.
First of all even though the s_password variable is private, there are no secret / private variables on the blockchain and people can still access them by reading the storage slots directly. In this case we just have to read from storage slot 1.
Another way of getting the password would simply be to check out the transactions on a block explorer like etherscan by checking the calldata of the latest setPassword() call
Impact
Anyone is able to read the 'secret' password, breaking the core functionality of the contract.
Tools Used
manual analysis
Recommendations
don't use smart contracts to store passwords
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.