s_password
Summary
Anyone who can read the blockchain can read the smart contract's state and the value of s_password too. It is not safe to store secret passwords on-chain. Instead of using s_password directly, we can convert the s_password into Hash using keccak256. So that secret password cannot be reavealed.
Vulnerability Details
Remove the string private s_password; and add bytes32 private s_passwordHash; . Add s_passwordHash = keccak256(abi.encodePacked(newPassword)) in the setPassword function . Add return s_passwordHash in the getPassword function.
Like this => function setPassword(string calldata newPassword) external {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
s_passwordHash = keccak256(abi.encodePacked(newPassword));
emit SetNewPassword();
}
Like this => function getPassword() external view returns (bytes32) {
if (msg.sender != s_owner) {
revert PasswordStore__NotOwner();
}
return s_passwordHash;
}
Impact
If you use s_password variable. Who can read the blockchain, they can read the smart contract's state, that is they can read the s_password.
Tools Used
Mannual
Recommendations
Dont use the secret passwords onchain.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.