Saving the password in a private variable will not stop others from reading the password as everything on blockchain is public.
Data stored on a public blockchain is visible to everyone, even if it's stored in a private variable. Private variables do not have a default public interface for reading, but they can still be accessed using tools like Foundry's cast storage
.
I will use Foundry's cast storage
to illustrate how anybody can read s_password
private variable on Anvil.
Use the following script and command to deploy the contract on Anvil and set the password.
Now copy the deployed contract address, in my case its 0x5FbDB2315678afecb367f032d93F642f64180aa3
and use the following command to access the raw value of s_password
variable which is stored at slot 1.
You will get the following raw value 0x6d7950617373776f726400000000000000000000000000000000000000000014
Now use the following command to convert it into plain text.
It will result in myPassword
which we stored in s_password
variable while deploying our script.
Anybody can read the password.
Manual analysis.
It is recommended not to store sensitive information like passwords on the blockchain, but if you still want to then encrypt the password before storing it on the blockchain.
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.