Anyone can read `s_password` from outside blockchain even when it is private.
Summary
Private state variables can be read from outside the blockchain at their respective storage slots. So it is not safe at all to store the password in smart contract in plaintext. So there is no need to be a owner to read the password from contract.
Vulnerability Details
It risky to storing password in smart contract. s_password of PasswordStore.solis private but can also be read from outside. So check implemented inside getPassword() function is of no use.
VulnerableCode: src/PasswordStore.sol#L14
Impact
Password is not hidden so it can be used maliciously wherever needed.
Tools Used
Manual
Recommendations
Try not to store password inside smart contract
If need to store then use encrypted password encrypted using a public key.
Decrypt using private key after fetching from blockchain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.