Anyone can retrieve s_password of an owner
Summary
The variable string private s_password is a state variable, which can be accessed using tools such as ethers.js, foundry's cast etc. Marking it private only changes the visibility of the variable to be accessible by the current contract but does not hide it's value stored in the state.
Vulnerability Details
Use the following command to access the s_password variable stored in Slot 1 of a deployed PasswordStore.sol contract:
1 here represents the slot number in which the variable is stored along with it's length. In case the string is 32 bytes or longer, the data is stored at keccak256(slot). The keccak256 hash of slot number 1 can be found either through a simple contract on Remix or spinning up a chisel environment in foundry (check this out for more info on storage layout of strings).
Impact
Anyone can read an owner's s_password value.
Tools Used
Manual Review
Recommendations
Storing a password on the blockchain is dangerous since anyone can read the state of a contract. The simplest solution would be to store the keccak256 hash of the password. (Note: The hashing needs to be done offchain since anyone can read function arguments to a call onchain).
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.