menu
Private variables are not really private on EVM

Private variables are not really private on EVM

posted Originally published at app.daily.dev 2 min read

Private variables on EVM blockchains are not really private and hidden

  • Do you think storing important keys and data in private key's are safer on EVM chains. Definition say's all, EVM is an transparent chain
  • Attackers will always looks for deployed contract addresses of contracts that are vulnerable and contains funds
  • marking a variable as private only prevents other contracts from accessing it.
  • State variables marked as private and local variables are still publicly accessible

Simple contract scenario

  • The given contract stores password on-chain and it is marked as private variable
contract Vault {
        bool public locked;
@>  bytes32 private password;

    constructor(bytes32 _password) {
        locked = true;
        password = _password;
    }
    function unlock(bytes32 _password) public {
        if (password == _password) {
            locked = false;
        }
    } 
}
  • Above Contract stored password inside an private variable, thinking that it's safer and no one can access it!!!

Simple way to access private and public data of deployed contracts

  • With the help of contract addess and storage layout, attackers can easily read the data from private and public data stored on-chain

1. Through cast commands:

  • Dev's using foundry can use cast commands to access storage layout of any contract using below commands.
cast storage --rpc-url $SEPOLIA_RPC_URL --etherscan-api-key $ETHERSCAN_API_KEY CONTRACT_ADDRESS SLOT_NUMBER
  • This command can be used to easily read private variables stored on-chain

2. Through Etherscan:

  • Go to Etherscan and search for contract address

  • Copy and explore the TNX hash from internal transactions

  • Go for state and look for all storage value present!!!

PRIVATE-DATA-2

PRIVATE-DATA-3

Try this CTF to gain more understanding

Real time case studies you want to look

So be aware of what you are storing on-chain and how you are enabling attackers to explore your contract and drains out all funds

If you read this far, tweet to the author to show them you care. Tweet a Thanks

1 Comment

Nice point here, private in Solidity means visibility not secrecy, love the practical cast tip, how many devs still stash secrets on chain?

0 votes

More Posts

Advance EVM - Opcodes, low-level calls and instructions

abiEncode - Jul 3

Introduction to solidity smart contracts storage layout -- What are risks in manipulating storage???

abiEncode - Jun 30

Blockchain Devops

abiEncode - Jun 29

What are Price Oracle Manipulation Attacks in Blockchain contracts and EVM???

abiEncode - Jul 5

Unlocking Ethereum: From Magic Money to Math-Powered Machines

ALLAN ROBINSON - Jul 12
chevron_left