Access private data in smart contracts
Summary
Function (and variable) visibility modifiers only affect the visibility of the function - and do not prevent access to their values
Vulnerability Details
it is possible to read the hex value of variable password.
Ethereum Storage and Execution level that variables in Solidity are stored in 32 byte (256 bit) storage slots, and that data is stored sequentially in these storage slots based on the order in which these variables are declared.
Since both declared variables are bytes32 variables, we know that each variable takes up exactly one storage slot. Since the order matters, we know that username will take up Slot 0 and password will take up Slot 1.
Impact
we can just access the storage slots directly. Since Ethereum is a public blockchain, all nodes have access to all the state. so we will be able to read the password (hex value) and transform it to string , to view what is the password of this user.
Tools Used
Foundry Test (forge ) stdstore.target()
PasswordStore test = new PasswordStore();
string slot = stdstore.target(address(test)).sig("s_password()").find();
Recommendations
NEVER store private information on a public blockchain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.