setPassword() can be monitored causing the password to be revealed
Summary
setPassword() function reveals the password. It's possible to extract the password from the setPassword() function if the transaction can be found in the blockchain explorers such as Etherscan or Tenderly
Vulnerability Details
setPassword() function can be called by anyone. Every call which changes the state of the blockchain can be monitored with the help of blockchain explorers.
Impact
Below are some examples of how the passwords can be revealed with the help of etherscan and Tenderly
SetNetPassword event makes it even easier to find the transaction number of the setPassword() function. Because it's easier to find the setPassword() function calls via searching the emitted SetNetPassword event.
Tools Used
Manual audit
Etherscan
Tenderly
Recommendations
It is possible to monitor all function calls on the blockchain. Unfortunately there is no alternative way to hide a storage value unless it is hashed by a function such as keccak256.
Another alternative can be to hash the passwords off-chain and store them on the blockchain after they are hashed. This adds an additional step to the whole process and brings centralization risks.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.