On-chain password data are accessible by off-chain tools and lead to privacy concerns
Summary
Password can be retrieved by off-chain tools and this behavior violates the restriction specified by getPassword function.
Vulnerability Details
According to the description of the protocol, other users are unable to access the password. However, the password parameter marked private visibility does not guarantee the password is inaccessible to user utilizing off-chain methods. The private keyword only restricts the accessibility of the variable to inheritance contracts and external contracts.
Several off-chain tools support the storageAt operation, such as eth_getStorageAt from Alchemy and getStorageAt from ethers, those tools can retrieve the value of state variables from given contract, leading to the leak of the sensitive password value.
Impact
Considering the protocol is utilized for health-related scenarios, and users store their sensitive data in the protocol without knowing the possibility of data breach, it will lead to critical privacy concerns and should be prevented at once.
Tools Used
Manual Review
Recommendations
Considering the property of blockchain system, the data stored on the system is accessible to all of the users. If the user still wants to store such privacy data on chain. encryption and other technique should be taken into consideration.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.