First Flight #1: PasswordStore

Summary

The 'PasswordStore::s_password' variable can be read by anyone at anytime, nothing stored on a blockchain is invisible! This stored password is not private to just the owner, anyone can view it. If someone were to check the storage slot that the variable is stored at or decoded the input data when the password was last set, they could read the password.

Vulnerability Details

Because nothing stored on a blockchain can be hidden, the s_password variable can be read by anyone at anytime. Setting the s_password variable to private only restricts it's access to the functions within the contract, it does not make it private or impossible to view by anyone.

Impact

Using Remix, I deployed the PasswordStore.sol contract and called setPassword() using 'dragon' as my string input. Below is the input data from that transaction. This input data would be visible to anyone on any common blockchain explorer, such as Etherscan.

0x290bb45300000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000006647261676f6e0000000000000000000000000000000000000000000000000000

Using Foundry I ran the below command to decode the input data using the publicly known function selector. The output of the command gave me the set password of 'dragon'

cast --calldata-decode "setPassword(string)" 0x290bb45300000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000006647261676f6e0000000000000000000000000000000000000000000000000000

This proves that anybody would be able to read the s_password variable at anytime.

Tools Used

-Foundry
-Remix

Recommendations

The best recommendation would be to not store sensitive passwords on a public blockchain. If this was necessary for any reason though, only input encoded values that only you know how to decode into your proper password.